[Not an issue] Blind SQL Injection

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
User avatar
ghosty
Joomla! Ace
Joomla! Ace
Posts: 1160
Joined: Fri Aug 19, 2005 7:42 am

[Not an issue] Blind SQL Injection

Post by ghosty » Fri Dec 07, 2007 3:17 pm

Hi Folks,

just found this, can somebody confirm:
http://www.securityfocus.com/archive/1/484603

Cheers

Pete
Last edited by infograf768 on Thu Dec 13, 2007 6:34 am, edited 1 time in total.
Pete Coutts / ghosty · · GMT +1
---------------------------------

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 18833
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: Blind SQL Injection

Post by infograf768 » Fri Dec 07, 2007 5:14 pm

Thanks Pete.
We have been reported this a few days ago and I moved the post to a private forum for investigation.
No News since.
Jean-Marie Simonet / infograf · http://www.info-graf.fr
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

User avatar
ghosty
Joomla! Ace
Joomla! Ace
Posts: 1160
Joined: Fri Aug 19, 2005 7:42 am

Re: Blind SQL Injection

Post by ghosty » Fri Dec 07, 2007 9:16 pm

No need to thank me,
I received this link from Markus aka Devil

Cheers

Pete
Pete Coutts / ghosty · · GMT +1
---------------------------------

GeoUK
Joomla! Guru
Joomla! Guru
Posts: 770
Joined: Thu Jun 01, 2006 9:28 am
Location: Scotland

Re: Blind SQL Injection

Post by GeoUK » Tue Dec 11, 2007 11:44 pm

I posted this a few days ago when it was first disclosed and the post was 'removed' without any mention.

The vulnerability is in the open. More at -

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6272

User avatar
ianmac
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4784
Joined: Sat Sep 24, 2005 11:01 pm
Location: Toronto, Canada

Re: Blind SQL Injection

Post by ianmac » Wed Dec 12, 2007 4:56 pm

If you read the security report closely, it is based on a lot of assumptions that are not true.

All request parameters are passed through input filters.

The first POC is:
http://localhost/index.php?option=com_c ... 20+%20'art
icle&id=25&Itemid=28

the view parameter will be processed by JFilterInput (which gets called in the JRequest::getCmd() call and all characters will be removed except letters, numbers underscore and period.  This filtering prevents any blind SQL injection because SQL queries need spaces.

Further, at no point does the view touch the database - views are loaded based on files present in the filesystem rather than information that is stored in the database.

The second POC is:
http://localhost/index.php?searchword=& ... com_search

The task parameter is processed with the same filter as above (line 25 of components/com_search/search.php) and removes all characters except for letters, numbers _ and period.  And again, the task parameter never touches the database.  The task parameter is used to determine which method to call from a PHP class, so while it may be possible to determine another valid task value and use it, security and permissions for the tasks are dealt with in the controller.

The third POC given was:
http://localhost/index.php?searchword=& ... mechars%27+
%2B+%27com_search

The option parameter is also filtered using the same regular expression, and this does not touch the database either.

The report was based on a lot of assumptions and demonstrated a lack of understanding of the Joomla! architecture.

Please feel free to ask questions and I will do my best to answer them.
Ian

GeoUK
Joomla! Guru
Joomla! Guru
Posts: 770
Joined: Thu Jun 01, 2006 9:28 am
Location: Scotland

Re: [Not an issue] Blind SQL Injection

Post by GeoUK » Thu Dec 13, 2007 8:15 am

Thanks for the detailed reply.

I was getting worried that my original post had been 'moved' to try and cover up the vulnerability in Joomla 1.5.

Now that it is explained I am sure a lot of people will be relieved.

Thanks again.

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 18833
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: [Not an issue] Blind SQL Injection

Post by infograf768 » Thu Dec 13, 2007 9:48 am

You should not be worried. I moved it to be investigated as I posted and you should have got notified.
Only issue was the delay to get a reply.  :)
Jean-Marie Simonet / infograf · http://www.info-graf.fr
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

User avatar
ianmac
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4784
Joined: Sat Sep 24, 2005 11:01 pm
Location: Toronto, Canada

Re: [Not an issue] Blind SQL Injection

Post by ianmac » Thu Dec 13, 2007 3:51 pm

I just wish people would do a bit more research before claiming they have found a security hole...  That was, IMO, very irresponsible and unfortunate.

Ian

GeoUK
Joomla! Guru
Joomla! Guru
Posts: 770
Joined: Thu Jun 01, 2006 9:28 am
Location: Scotland

Re: [Not an issue] Blind SQL Injection

Post by GeoUK » Tue Jan 08, 2008 1:10 am

ianmac wrote: I just wish people would do a bit more research before claiming they have found a security hole...  That was, IMO, very irresponsible and unfortunate.

Ian
I don't quite know who that comment was aimed at, but I personally never claimed to have "found a security hole".

I posted a link to a site that did publish the vulnerability and provided POC. This post was them 'mysteriously' removed without any comments from anyone. This then made me very suspicious of why it was removed. This thread was then started a few days later and this time you (ianmac) posted an explanation of the 'vulnerability' and POC.

If we are not supposed to post items here to make others aware of these 'alleged' vulnerabilities, why have a Security forum at all?
Last edited by GeoUK on Tue Jan 08, 2008 1:12 am, edited 1 time in total.

User avatar
ianmac
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4784
Joined: Sat Sep 24, 2005 11:01 pm
Location: Toronto, Canada

Re: [Not an issue] Blind SQL Injection

Post by ianmac » Tue Jan 08, 2008 1:29 am

I don't quite know who that comment was aimed at, but I personally never claimed to have "found a security hole".
Nope...  wasn't aimed at you at all...  was aimed at the person who originally posted the message on the website (securityfocus).

The post on there was so poorly researched and was based on no knowledge of how these aspects of the Joomla! core works.

I don't know why the thread was moved, but it could have been moved to a private area for further examination, and never got moved back for some reason.

The point of the security forum in general is to discuss information on how to secure a Joomla! site.  THe intention is not necessarily to post vulnerabilities.

The responsible course of action in this situation would have been for the person who posted on securityfocus to send information on the vulnerability directly to the Joomla! devs for investigation.

In this case, with something that has already been posted elsewhere, it isn't as big of a deal to post it here in the forums, but in general, vulnerabilities should be sent first to the devs so that it can be patched before the vulnerability is exploited on live sites.  If the vulnerability is not addressed after a few days, then perhaps it is appropriate to post it on such a forum, but I feel it is more appropriate to give the developers a chance to fix the vulnerability and send out a patch before sites get hacked.

Ian

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 18833
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: [Not an issue] Blind SQL Injection

Post by infograf768 » Tue Jan 08, 2008 7:31 am

GeoUK wrote:

I posted a link to a site that did publish the vulnerability and provided POC. This post was them 'mysteriously' removed without any comments from anyone. This then made me very suspicious of why it was removed.
Once and for all (I wrote it twice already above), I moved your post to be investigated and thanked you for it.
If you receive notifications, you should have got my post.
infograf768 wrote: Thanks.

Moving this thread to a dev private forum for investigation.
Jean-Marie Simonet / infograf · http://www.info-graf.fr
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group


Locked

Return to “Security in Joomla! 1.5”