[FIXED in 1.0.10] SQL Injection vulnerability Joomla! 1.0.9 Stable

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
User avatar
Bettinz
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 209
Joined: Fri Sep 23, 2005 3:31 pm
Location: Italy
Contact:

[FIXED in 1.0.10] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by Bettinz » Sun Jun 18, 2006 2:09 pm

sorry for my english, but i'm italian  ;)
i've read this vulnerability in Mambo, and i ask to you if Joomla is protected against that
http://www.securityfocus.com/archive/1/437496
Last edited by stingrey on Wed Jun 28, 2006 3:48 pm, edited 1 time in total.

User avatar
stingrey
Joomla! Hero
Joomla! Hero
Posts: 2756
Joined: Mon Aug 15, 2005 4:36 pm
Location: Marikina, Metro Manila, Philippines
Contact:

Re: [UNDER REVIEW] Is Joomla secure against that?

Post by stingrey » Sun Jun 18, 2006 2:26 pm

We have only just become aware of this report and will investigate to see whether this also affects Joomla!



Initial thoughts are that since it is specifically referenced as affecting only Mambo 4.6 RC and not earlier versions of Mambo, than it is likely only to affect the latest installment of Mambo.  That is the vulnerabiity is possibly due to a change made in Mambo 4.6.

Note however, this is only speculation at this stage.  A definiitive answer can only be made with further investigation.



Note that this report has not yet been confirmed by Team Mambo officials as being an actual vulnerability
http://forum.mamboserver.com/showthread.php?t=81652
Last edited by stingrey on Sun Jun 18, 2006 2:31 pm, edited 1 time in total.
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me :)
Partner, Business Development & Project Manager, Event Manager, Sports Coach :D

User avatar
Bettinz
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 209
Joined: Fri Sep 23, 2005 3:31 pm
Location: Italy
Contact:

Re: [UNDER REVIEW] Is Joomla secure against that?

Post by Bettinz » Sun Jun 18, 2006 2:37 pm

stingrey wrote: We have only just become aware of this report and will investigate to see whether this also affects Joomla!



Initial thoughts are that since it is specifically referenced as affecting only Mambo 4.6 RC and not earlier versions of Mambo, than it is likely only to affect the latest installment of Mambo.  That is the vulnerabiity is possibly due to a change made in Mambo 4.6.

Note however, this is only speculation at this stage.  A definiitive answer can only be made with further investigation.



Note that this report has not yet been confirmed by Team Mambo officials as being an actual vulnerability
http://forum.mamboserver.com/showthread.php?t=81652
thanks  8)
(and compliment for the speedy  ;) )

friesengeist
Joomla! Guru
Joomla! Guru
Posts: 842
Joined: Sat Sep 10, 2005 10:31 pm

Re: [UNDER REVIEW] Is Joomla secure against that?

Post by friesengeist » Sun Jun 18, 2006 3:31 pm

stingrey wrote: Note that this report has not yet been confirmed by Team Mambo officials as being an actual vulnerability
http://forum.mamboserver.com/showthread.php?t=81652
I can confirm this for Mambo 4.5.2.3!
We may not be able to control the wind, but we can always adjust our sails

User avatar
gustavo
Joomla! Explorer
Joomla! Explorer
Posts: 427
Joined: Fri Aug 19, 2005 12:51 pm
Location: Argentina
Contact:

Mambo & Joomla | Weblinks SQL Injection Vulnerability

Post by gustavo » Sun Jun 18, 2006 11:07 pm

+ http://www.securityfocus.com/bid/18492/info

Code: Select all

echo "Joomla <= 1.0.9 'Weblinks' blind SQL injection / admin credentials\r\n";
echo "disclosure exploit (benchmark() vesion)\r\n";
echo "by rgod [email protected]\r\n";
echo "site: http://retrogod.altervista.org\r\n";
Have a nice day
Gustavo Raúl Aragón
Comunidad Joomla: Maintenance, support, translation and distribution for the Joomla!. Help site online. Member of the Spanish [es_ES] Joomla Translation Team. http://comunidadjoomla.org

User avatar
Websmurf
Joomla! Hero
Joomla! Hero
Posts: 2230
Joined: Fri Aug 19, 2005 2:23 pm
Location: The Netherlands
Contact:

Re: [UNDER REVIEW] Is Joomla secure against that?

Post by Websmurf » Mon Jun 19, 2006 9:41 am

Had a quick look.
I think your safe when you make the following changes:

open /components/com_weblinks/weblinks.php, find:

Code: Select all

/**
* Saves the record on an edit form submit
* @param database A database connector object
*/
function saveWeblink( $option ) {
	global $mosConfig_mailfrom, $mosConfig_fromname;
	global $database, $my;

	if ($my->gid < 1) {
		mosNotAuth();
		return;
	}


replace it with:

Code: Select all

/**
* Saves the record on an edit form submit
* @param database A database connector object
*/
function saveWeblink( $option ) {
	global $mosConfig_mailfrom, $mosConfig_fromname;
	global $database, $my;

	if ($my->gid < 1) {
		mosNotAuth();
		return;
	}
	
	// security check to see if link exists in a menu
	$link = 'index.php?option=com_weblinks&task=new';
	$query = "SELECT id"
	. "\n FROM #__menu"
	. "\n WHERE link LIKE '%$link%'"
	. "\n AND published = 1"
	;
	$database->setQuery( $query );
	$exists = $database->loadResult();
	if ( !$exists ) {						
		mosNotAuth();
		return;
	}
Than make sure no link exists in your menu to 'index.php?option=com_weblinks&task=new'.
Ofcourse this will not allow users to submit weblinks, but this will do for a lot of websites.
Adam van Dongen - Developer

- Blocklist, ODT Indexer, EasyFAQ, Easy Guestbook, Easy Gallery, YaNC & Redirect -
http://www.joomla-addons.org - http://www.bandhosting.nl

User avatar
Websmurf
Joomla! Hero
Joomla! Hero
Posts: 2230
Joined: Fri Aug 19, 2005 2:23 pm
Location: The Netherlands
Contact:

Re: [UNDER REVIEW] Is Joomla secure against that?

Post by Websmurf » Mon Jun 19, 2006 9:48 am

If you do want to allow users to submit links, you can make the following modification:

Find (in the same file as above):

Code: Select all

// until full edit capabilities are given for weblinks - limit saving to new weblinks only
	$row->id = 0;
Replace with:

Code: Select all

// until full edit capabilities are given for weblinks - limit saving to new weblinks only
	$row->id = 0;

	if(stristr($row->title, 'SELECT') && stristr($row->title, 'FROM') && stristr($row->title, 'WHERE')){
	  echo "<script> alert('Illegal characters in title'); window.history.go(-1); </script>\n";
		exit();
	}
This will pop up an alert if the words 'SELECT', 'FROM' and 'WHERE' are used in the weblink title (which the exploid does).

Note:
I don't know if Joomla is vulerable to the exploid, the code posted above should protect you from the exploid if it should work.
Last edited by Websmurf on Mon Jun 19, 2006 9:51 am, edited 1 time in total.
Adam van Dongen - Developer

- Blocklist, ODT Indexer, EasyFAQ, Easy Guestbook, Easy Gallery, YaNC & Redirect -
http://www.joomla-addons.org - http://www.bandhosting.nl

meowcat
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Mon Jun 19, 2006 12:25 pm

Joomla! "Name" SQL Injection Vulnerability

Post by meowcat » Mon Jun 19, 2006 12:27 pm

FYI:
http://secunia.com/advisories/20746/

Exploit:
http://milw0rm.com/exploits/1922

Please let us know how to best patch this in our existing releases? Thanks!

jazzyj
Joomla! Apprentice
Joomla! Apprentice
Posts: 17
Joined: Wed Oct 19, 2005 2:06 pm

Re: Joomla! "Name" SQL Injection Vulnerability

Post by jazzyj » Mon Jun 19, 2006 1:40 pm


User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: [UNDER REVIEW] Is Joomla secure against that?

Post by Elpie » Mon Jun 19, 2006 3:23 pm

A fix for the Mambo vulnerability has been posted on Mambo Guru http://forum.mamboguru.com/showthread.php?t=264
This patch is for 4.6 RC1 and another for 4.5.3h/4.5.4 is coming.  It is possible that the vulnerability affects older versions of Mambo as well.
When the 4.5.3h/4.5.4 patch is posted on the forum it may be useful for Joomla devs to look at (we are not going to be presumptious so wont be posting a fix for 1.0.9 ;) )
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

User avatar
stingrey
Joomla! Hero
Joomla! Hero
Posts: 2756
Joined: Mon Aug 15, 2005 4:36 pm
Location: Marikina, Metro Manila, Philippines
Contact:

Re: [CONFIRMED] Is Joomla secure against that?

Post by stingrey » Mon Jun 19, 2006 3:46 pm

This security threat is confirmed in the Joomla! codebase and affects all previous versions of Joomla! including 1.0.9

It is being listed as a [HIGH LEVEL] threat as it can lead to the possibility of confidential user password access information being gained.
Note that this vulnerability is only exploitable by sites that have registered or above frontend access to a site.  If you have a site that does not have frontend access, you should be safe from this vulnerability.



An official fix is pending and will be released shortly.  However, we are currently examining the core to ensure no other similar vulnerability exists elsewhere in the system.
Last edited by stingrey on Mon Jun 19, 2006 3:49 pm, edited 1 time in total.
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me :)
Partner, Business Development & Project Manager, Event Manager, Sports Coach :D

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 12781
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: [CONFIRMED] Is Joomla secure against that?

Post by brian » Mon Jun 19, 2006 3:51 pm

Ifnyou have frontend access but NOT the ability to submit weblinks are you vulnerable?
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
stingrey
Joomla! Hero
Joomla! Hero
Posts: 2756
Joined: Mon Aug 15, 2005 4:36 pm
Location: Marikina, Metro Manila, Philippines
Contact:

Re: [UNDER REVIEW] Is Joomla secure against that?

Post by stingrey » Mon Jun 19, 2006 3:54 pm

Elpie wrote: A fix for the Mambo vulnerability has been posted on Mambo Guru http://forum.mamboguru.com/showthread.php?t=264
This patch is for 4.6 RC1 and another for 4.5.3h/4.5.4 is coming.  It is possible that the vulnerability affects older versions of Mambo as well.
When the 4.5.3h/4.5.4 patch is posted on the forum it may be useful for Joomla devs to look at (we are not going to be presumptious so wont be posting a fix for 1.0.9 ;) )
I'm sure Mambo users apprieciate this fix being made available.

However, it should be noted that you cannot access the attachement (or any attachment) on the mamboguru forums unless you are registered on the forums - this may limit the access to the fix.

It may be something you might wish to blog about on the guru site to increase its visiblity - but I understand this may be seen as trouble making
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me :)
Partner, Business Development & Project Manager, Event Manager, Sports Coach :D

User avatar
stingrey
Joomla! Hero
Joomla! Hero
Posts: 2756
Joined: Mon Aug 15, 2005 4:36 pm
Location: Marikina, Metro Manila, Philippines
Contact:

Re: [CONFIRMED] Is Joomla secure against that?

Post by stingrey » Mon Jun 19, 2006 3:57 pm

brian wrote: Ifnyou have frontend access but NOT the ability to submit weblinks are you vulnerable?
Unfortunately yes you are still vulnerable.

However, if you impelment websmurf's suggestion here:
http://forum.joomla.org/index.php/topic ... #msg366017

This will stop this hole in this instance, where you do not allow weblinks submission.
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me :)
Partner, Business Development & Project Manager, Event Manager, Sports Coach :D

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: [UNDER REVIEW] Is Joomla secure against that?

Post by Elpie » Mon Jun 19, 2006 4:21 pm

stingrey wrote: However, it should be noted that you cannot access the attachement (or any attachment) on the mamboguru forums unless you are registered on the forums - this may limit the access to the fix.
Sadly, this is the way it has to be :( There have been abuses of copyright and until certain parties stop stripping copyright out of code, we are not comfortable with just putting the patches into our file download area. Any Mambo users who don't want to register on the forum (and there are many who don't want to be seen to be there, which is why we allow people to login as hidden users) can email me and I will send you the patches.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

User avatar
stingrey
Joomla! Hero
Joomla! Hero
Posts: 2756
Joined: Mon Aug 15, 2005 4:36 pm
Location: Marikina, Metro Manila, Philippines
Contact:

Re: [UNDER REVIEW] Is Joomla secure against that?

Post by stingrey » Mon Jun 19, 2006 4:35 pm

Elpie wrote: Sadly, this is the way it has to be :( There have been abuses of copyright and until certain parties stop stripping copyright out of code, we are not comfortable with just putting the patches into our file download area.
This is unfortunate, anway I'm sure there are users who appreciate the effort.
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me :)
Partner, Business Development & Project Manager, Event Manager, Sports Coach :D

MikeFossati
Joomla! Apprentice
Joomla! Apprentice
Posts: 33
Joined: Sat Oct 22, 2005 7:12 pm
Contact:

Re: [CONFIRMED] Is Joomla secure against that?

Post by MikeFossati » Mon Jun 19, 2006 4:44 pm

Securityfocus is listing another security issue related to "IncludePath Remote File Include Vulnerability" here: http://www.securityfocus.com/bid/18363/. Not sure if this has been addressed yet or not.

Mike

friesengeist
Joomla! Guru
Joomla! Guru
Posts: 842
Joined: Sat Sep 10, 2005 10:31 pm

Re: [CONFIRMED] Is Joomla secure against that?

Post by friesengeist » Mon Jun 19, 2006 4:52 pm

MikeFossati wrote: Securityfocus is listing another security issue related to "IncludePath Remote File Include Vulnerability" here: http://www.securityfocus.com/bid/18363/. Not sure if this has been addressed yet or not.
Unfortunately, securityfocus.com doesn't provide much information. If that listing is based on http://www.securityfocus.com/archive/1/436707 (they link it as a reference), then that's not going to work. I would say that's a hoax.
We may not be able to control the wind, but we can always adjust our sails

User avatar
stingrey
Joomla! Hero
Joomla! Hero
Posts: 2756
Joined: Mon Aug 15, 2005 4:36 pm
Location: Marikina, Metro Manila, Philippines
Contact:

Re: [CONFIRMED] Is Joomla secure against that?

Post by stingrey » Mon Jun 19, 2006 5:00 pm

friesengeist wrote:
MikeFossati wrote: Securityfocus is listing another security issue related to "IncludePath Remote File Include Vulnerability" here: http://www.securityfocus.com/bid/18363/. Not sure if this has been addressed yet or not.
Unfortunately, securityfocus.com doesn't provide much information. If that listing is based on http://www.securityfocus.com/archive/1/436707 (they link it as a reference), then that's not going to work. I would say that's a hoax.
Yes we are aware of this report and as pointed out by [friesengeist] there is so little information it is simply not possible to test the veracity/accuracy of the report.

We have even tried to contact the original reporter via the email listed.



However, at this stage we have to list this report as being UNCONFIRMED and possibly false.

Of course if more information can be provided we will examine the issue again.
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me :)
Partner, Business Development & Project Manager, Event Manager, Sports Coach :D

User avatar
gustavo
Joomla! Explorer
Joomla! Explorer
Posts: 427
Joined: Fri Aug 19, 2005 12:51 pm
Location: Argentina
Contact:

Re: [CONFIRMED] Is Joomla secure against that?

Post by gustavo » Mon Jun 19, 2006 5:12 pm

¿Hoax?


Tested in localhost : Joomla 1.0.9

Code: Select all

'
removed for security reasons
--------------------------------------------------------------------
Post subject: joomla blind sql injection
Posted: Jun 17, 2006 - 01:39 PM
Google's Worst Nightmare

rgod
Joined: Apr 06, 2005
Posts: 2533
Location: Italy
Status: Offline
dork:

http://www.google.com/search?q=%22jooml ... =&filter=0

maybe someone could catch more results, dunno

modified the mambo exploit to work against joomla:

http://retrogod.altervista.org/joomla_109_sql.html
Link: http://johnny.ihackstuff.com/index.php? ... 6770#16770


Have a nice day
Gustavo Raúl Aragón
Last edited by gustavo on Mon Jun 19, 2006 5:43 pm, edited 1 time in total.
Comunidad Joomla: Maintenance, support, translation and distribution for the Joomla!. Help site online. Member of the Spanish [es_ES] Joomla Translation Team. http://comunidadjoomla.org

friesengeist
Joomla! Guru
Joomla! Guru
Posts: 842
Joined: Sat Sep 10, 2005 10:31 pm

Re: [CONFIRMED] Is Joomla secure against that?

Post by friesengeist » Mon Jun 19, 2006 5:19 pm

gustavo wrote: ¿Hoax?

Tested in localhost : Joomla 1.0.9

Code: Select all

removed for security
--------------------------------------------------------------------
Have you read that I was referring to
MikeFossati wrote: Securityfocus is listing another security issue related to "IncludePath Remote File Include Vulnerability" here: http://www.securityfocus.com/bid/18363/. Not sure if this has been addressed yet or not.
this post?

I know that the [mod note: removed] stuff does work, I also confirmed yesterday that Joomla is vulnerable. However, I didn't want to make the details public, so I send them to the core devs per mail.
Last edited by nathandiehl on Mon Jun 19, 2006 5:32 pm, edited 1 time in total.
We may not be able to control the wind, but we can always adjust our sails

User avatar
gustavo
Joomla! Explorer
Joomla! Explorer
Posts: 427
Joined: Fri Aug 19, 2005 12:51 pm
Location: Argentina
Contact:

Re: [CONFIRMED] Is Joomla secure against that?

Post by gustavo » Mon Jun 19, 2006 5:28 pm

ok.. thanks friesengeist ;)

Have a nice day
Gustavo Raúl Aragón
Comunidad Joomla: Maintenance, support, translation and distribution for the Joomla!. Help site online. Member of the Spanish [es_ES] Joomla Translation Team. http://comunidadjoomla.org

User avatar
stingrey
Joomla! Hero
Joomla! Hero
Posts: 2756
Joined: Mon Aug 15, 2005 4:36 pm
Location: Marikina, Metro Manila, Philippines
Contact:

Re: [CONFIRMED] Is Joomla secure against that?

Post by stingrey » Mon Jun 19, 2006 5:32 pm

gustavo wrote: ¿Hoax?

Tested in localhost : Joomla 1.0.9
As i stated here:
http://forum.joomla.org/index.php/topic ... #msg366480
the original security report:
Joomla! "Name" SQL Injection Vulnerability
http://secunia.com/advisories/20746
has been CONFIRMED



However this issue:
Joomla IncludePath Remote File Include Vulnerability
http://www.securityfocus.com/bid/18363/
is UNCONFIRMED
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me :)
Partner, Business Development & Project Manager, Event Manager, Sports Coach :D

macosbrain
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Tue Jun 20, 2006 10:12 am

Re: [CONFIRMED] Is Joomla secure against that?

Post by macosbrain » Tue Jun 20, 2006 10:17 am

i got several other solutions for the exploit:

check http://macosbrain.ath.cx/wordpress/2006 ... n-exploit/

ps: the site is in german but i think you should understand it.

User avatar
Bettinz
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 209
Joined: Fri Sep 23, 2005 3:31 pm
Location: Italy
Contact:

Re: [CONFIRMED] Is Joomla secure against that?

Post by Bettinz » Tue Jun 20, 2006 11:10 am

i'm happy to see the utility of my thread  ;)

User avatar
eyezberg
Joomla! Hero
Joomla! Hero
Posts: 2859
Joined: Thu Aug 25, 2005 5:48 pm
Location: Geneva mostly
Contact:

Re: [CONFIRMED] Is Joomla secure against that?

Post by eyezberg » Tue Jun 20, 2006 6:01 pm

Rey, any idea about ETA for the patch? thanks

Other question: can this still be accessed if there's no published link to com_weblinks? by using the option in the url?
Sometimes one pays most for the things one gets for nothing.
The important thing is not to stop questioning. Curiosity has its own reason for existing. AE
http://joomla15.[URL banned].com for J! 1.5 screenshots
http://www.eyezberg.com

User avatar
gustavo
Joomla! Explorer
Joomla! Explorer
Posts: 427
Joined: Fri Aug 19, 2005 12:51 pm
Location: Argentina
Contact:

Re: [CONFIRMED] Is Joomla secure against that?

Post by gustavo » Tue Jun 20, 2006 6:08 pm

Oficial solution for SQL injection .. 1.0.10 ? for when?

Svn 1.0.x
** HIGH Level Threats fixed in 1.0.10

A1 Unvalidated Input
* A1 - Secured `Remember Me` functionality against SQL injection attacks
* A1 - Secured `Related Items` Module against SQL injection attacks
* A1 - Secured `Weblinks` submission against SQL injection attacks

** LOW Level Threats fixed in 1.0.10

A1 Unvalidated Input
* A1 - Hardened Frontend submission forms against spoofing
Have a nice day
Gustavo Raúl Aragón
Last edited by gustavo on Tue Jun 20, 2006 6:10 pm, edited 1 time in total.
Comunidad Joomla: Maintenance, support, translation and distribution for the Joomla!. Help site online. Member of the Spanish [es_ES] Joomla Translation Team. http://comunidadjoomla.org

User avatar
stingrey
Joomla! Hero
Joomla! Hero
Posts: 2756
Joined: Mon Aug 15, 2005 4:36 pm
Location: Marikina, Metro Manila, Philippines
Contact:

Re: [CONFIRMED] Is Joomla secure against that?

Post by stingrey » Tue Jun 20, 2006 6:17 pm

gustavo wrote: Oficial solution for SQL injection .. 1.0.10 ? for when?
We are working as quickly as possible to complete and release 1.0.10 as soon as possible - at last check my watch said 2am.
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me :)
Partner, Business Development & Project Manager, Event Manager, Sports Coach :D

User avatar
gustavo
Joomla! Explorer
Joomla! Explorer
Posts: 427
Joined: Fri Aug 19, 2005 12:51 pm
Location: Argentina
Contact:

Re: [CONFIRMED] Is Joomla secure against that?

Post by gustavo » Tue Jun 20, 2006 6:21 pm

Very thanks ray for fast reply! ;)

Have a nice day
Gustavo Raúl Aragón
Comunidad Joomla: Maintenance, support, translation and distribution for the Joomla!. Help site online. Member of the Spanish [es_ES] Joomla Translation Team. http://comunidadjoomla.org

User avatar
eyezberg
Joomla! Hero
Joomla! Hero
Posts: 2859
Joined: Thu Aug 25, 2005 5:48 pm
Location: Geneva mostly
Contact:

Re: [CONFIRMED] Is Joomla secure against that?

Post by eyezberg » Tue Jun 20, 2006 7:04 pm

Rey, go to bed! Tomorrow's as good as today!

Anyone knows / tried if this threat is workable by just appending stuff to index.php?option=...
Sometimes one pays most for the things one gets for nothing.
The important thing is not to stop questioning. Curiosity has its own reason for existing. AE
http://joomla15.[URL banned].com for J! 1.5 screenshots
http://www.eyezberg.com


Locked

Return to “Security - 1.0.x”