com_content sql-injection?

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
User avatar
Dead Krolik
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Sat Sep 10, 2005 6:17 am
Location: Petrozavodsk city, Karelia, Russia
Contact:

com_content sql-injection?

Post by Dead Krolik » Thu Oct 06, 2005 5:29 pm

Edited by moderator, proof of concept exploits should not be posted in the forums without first notification of the developers.
Last edited by rhuk on Thu Oct 06, 2005 5:52 pm, edited 1 time in total.
http://dead-krolik.info - My personal blog
http://joostina-cms.org - Joostina, CMS based ono Joomla

User avatar
Damienov
Joomla! Ace
Joomla! Ace
Posts: 1442
Joined: Fri Aug 19, 2005 12:08 am
Contact:

Re: com_content sql-injection?

Post by Damienov » Thu Oct 06, 2005 5:39 pm

its confirmed
- Basic install of Joomla
- User as Author
this will display the encrypted MD5 password

please submit this at the bug tracker or send an email to security@joomla.org
Waddaya mean I can't swing my lightsaber in the forum??

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1205
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: com_content sql-injection?

Post by PhilTaylor-Prazgod » Thu Oct 06, 2005 5:49 pm

Thank you for finding this - however posting about it in public forum is NOT the right way to protect yourself or to protect others! You should have alerted the core team first.

However, for those who wish to patch their installation before the core team are online (After the awards they just won!) you can edit

/component/com_content/content.php  Line: 1223 and change it to look like this:

Code: Select all

	. "\n WHERE id = ".intval($sectionid)
and that will fix the problem for now
Phil Taylor
Founder, Lead Developer
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/ - My Twitter Streams

User avatar
Damienov
Joomla! Ace
Joomla! Ace
Posts: 1442
Joined: Fri Aug 19, 2005 12:08 am
Contact:

Re: com_content sql-injection?

Post by Damienov » Thu Oct 06, 2005 5:57 pm

thanks for the quick fix Phil  ;)
Waddaya mean I can't swing my lightsaber in the forum??

User avatar
spacemonkey
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 201
Joined: Fri Aug 12, 2005 7:50 pm
Location: Turin, Italy
Contact:

Re: com_content sql-injection?

Post by spacemonkey » Thu Oct 06, 2005 6:00 pm

Thanks Phil for seeing this, this post comes at a horrible time as most of us are traveling or offline with the summit and expo happening in the UK.

Again, I'd like to point out that any exploit code found in Joomla! needs to be reported to the developers, so that they can get a patch out before the exploit becomes common knowledge!

Please. please do the right thing and let us know first, before telling the world, ok? You can PM me, email me, whatever you want, just let us know before going public please!

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1205
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: com_content sql-injection?

Post by PhilTaylor-Prazgod » Thu Oct 06, 2005 6:05 pm

Damienov wrote: thanks for the quick fix Phil  ;)
On a brighter note - 39 Hours until my wedding  :P
Phil Taylor
Founder, Lead Developer
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/ - My Twitter Streams

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1205
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: com_content sql-injection?

Post by PhilTaylor-Prazgod » Thu Oct 06, 2005 6:12 pm

actually the real reason for this is an oversight at the top of the file:

Line 20+

Code: Select all

$id			= intval( mosGetParam( $_REQUEST, 'id', 0 ) );
$sectionid 	= mosGetParam( $_REQUEST, 'sectionid', 0 );
$pop 		= intval( mosGetParam( $_REQUEST, 'pop', 0 ) );
$id 		= intval( mosGetParam( $_REQUEST, 'id', 0 ) );
$limit 		= intval( mosGetParam( $_REQUEST, 'limit', '' ) );
$order 		= mosGetParam( $_REQUEST, 'order', '' );
$limitstart = intval( mosGetParam( $_REQUEST, 'limitstart', 0 ) );
Note there are two lines for $id - this should read:

Code: Select all

$id			= intval( mosGetParam( $_REQUEST, 'id', 0 ) );
$sectionid 	= mosGetParam( $_REQUEST, 'sectionid', 0 );
$pop 		= intval( mosGetParam( $_REQUEST, 'pop', 0 ) );
$sectionid 		= intval( mosGetParam( $_REQUEST, 'sectionid', 0 ) );
$limit 		= intval( mosGetParam( $_REQUEST, 'limit', '' ) );
$order 		= mosGetParam( $_REQUEST, 'order', '' );
$limitstart = intval( mosGetParam( $_REQUEST, 'limitstart', 0 ) );
and then there is no need for my last fix posted above.
Phil Taylor
Founder, Lead Developer
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/ - My Twitter Streams

User avatar
Damienov
Joomla! Ace
Joomla! Ace
Posts: 1442
Joined: Fri Aug 19, 2005 12:08 am
Contact:

Re: com_content sql-injection?

Post by Damienov » Thu Oct 06, 2005 6:13 pm

PhilTaylor-Prazgod wrote:
Damienov wrote: thanks for the quick fix Phil  ;)
On a brighter note - 39 Hours until my wedding  :P
yes, i've read your post in the general discussion forum, congrats!
just one question. What are you doing here? shouldnt you prepare or having a bachelor party or something  :P

@spacemonkey
I'm realy sorry about this, but I dont have the permission to edit the post :-[
Waddaya mean I can't swing my lightsaber in the forum??

User avatar
ProjectMayhem
Joomla! Intern
Joomla! Intern
Posts: 70
Joined: Thu Aug 18, 2005 3:01 pm
Contact:

Re: com_content sql-injection?

Post by ProjectMayhem » Thu Oct 06, 2005 6:15 pm

so if our sites don't have users logging in we should be ok right?? or should we do this right away.  All of my sites are really static meaning I don't have any members logging in or anyone else editing the content. thanks
You are not your job. You are not how much money you have in the bank.  You are not the car you drive. You are not the contents of your wallet. You are not your f!@#ing khakis. We are the all-singing, all-dancing crap of the world.

User avatar
Robin
Joomla! Master
Joomla! Master
Posts: 15753
Joined: Thu Aug 18, 2005 10:41 am

Re: com_content sql-injection?

Post by Robin » Thu Oct 06, 2005 6:15 pm

Thanks Phil, for letting us know about this.
this post comes at a horrible time as most of us are traveling or offline with the summit and expo happening in the UK...
I'm still here, keeping an eye out  ;)

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1205
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: com_content sql-injection?

Post by PhilTaylor-Prazgod » Thu Oct 06, 2005 6:16 pm

Grr - I posted this as a reply instead of amending my last post. 

THE FOLLOWING POST HAS BEEN AMENDED AND OVERRULES THE POST MADE ABOVE

PhilTaylor-Prazgod wrote: actually the real reason for this is an oversight at the top of the file:

Line 20+

Code: Select all

$id			= intval( mosGetParam( $_REQUEST, 'id', 0 ) );
$sectionid 	= mosGetParam( $_REQUEST, 'sectionid', 0 );
$pop 		= intval( mosGetParam( $_REQUEST, 'pop', 0 ) );
$id 		= intval( mosGetParam( $_REQUEST, 'id', 0 ) );
$limit 		= intval( mosGetParam( $_REQUEST, 'limit', '' ) );
$order 		= mosGetParam( $_REQUEST, 'order', '' );
$limitstart = intval( mosGetParam( $_REQUEST, 'limitstart', 0 ) );
Note there are two lines for $id and no intval for sectionid - this should read:

Code: Select all

$id			= intval( mosGetParam( $_REQUEST, 'id', 0 ) );
$sectionid 	= intval(mosGetParam( $_REQUEST, 'sectionid', 0 ) );
$pop 		= intval( mosGetParam( $_REQUEST, 'pop', 0 ) );

$limit 		= intval( mosGetParam( $_REQUEST, 'limit', '' ) );
$order 		= mosGetParam( $_REQUEST, 'order', '' );
$limitstart = intval( mosGetParam( $_REQUEST, 'limitstart', 0 ) );
and then there is no need for my last fix posted above.
Last edited by PhilTaylor-Prazgod on Thu Oct 06, 2005 6:17 pm, edited 1 time in total.
Phil Taylor
Founder, Lead Developer
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/ - My Twitter Streams

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1205
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: com_content sql-injection?

Post by PhilTaylor-Prazgod » Thu Oct 06, 2005 6:19 pm

ProjectMayhem wrote: so if our sites don't have users logging in we should be ok right?? or should we do this right away.  All of my sites are really static meaning I don't have any members logging in or anyone else editing the content. thanks
You should always apply patches such as this just to be on the safe side.  If some one guesses one of your login names then he/she (probably he) could use the exploit.  However as you say its not going to affect you oo much at present
Phil Taylor
Founder, Lead Developer
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/ - My Twitter Streams

User avatar
Damienov
Joomla! Ace
Joomla! Ace
Posts: 1442
Joined: Fri Aug 19, 2005 12:08 am
Contact:

Re: com_content sql-injection?

Post by Damienov » Thu Oct 06, 2005 6:19 pm

ProjectMayhem wrote: so if our sites don't have users logging in we should be ok right?? or should we do this right away.  All of my sites are really static meaning I don't have any members logging in or anyone else editing the content. thanks
I thinks its quite safe for your site, but applying the fix is always a good choice
Waddaya mean I can't swing my lightsaber in the forum??

User avatar
ProjectMayhem
Joomla! Intern
Joomla! Intern
Posts: 70
Joined: Thu Aug 18, 2005 3:01 pm
Contact:

Re: com_content sql-injection?

Post by ProjectMayhem » Thu Oct 06, 2005 6:22 pm

thanks..  i appreciate all the help.  I'll wait until I get home then. 

oh yeah and Phil.  congrats man..  I've been married over a year now. Have fun  :'(
You are not your job. You are not how much money you have in the bank.  You are not the car you drive. You are not the contents of your wallet. You are not your f!@#ing khakis. We are the all-singing, all-dancing crap of the world.

User avatar
Dead Krolik
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Sat Sep 10, 2005 6:17 am
Location: Petrozavodsk city, Karelia, Russia
Contact:

Re: com_content sql-injection?

Post by Dead Krolik » Fri Oct 07, 2005 11:29 am

>Edited by moderator, proof of concept exploits should not be posted in the forums without first notification of the developers.
Sorry. I posted it because i think it's not critical:

1)You must be Author
2)MySQL ver 4.x
3)You must know table prefix
4)You can get only hash

Patch is very easy, just "settype($sectionid,'integer')" at the top of the file.

>Again, I'd like to point out that any exploit code found in Joomla! needs to be reported to the developers, so that they can get a patch out before the exploit becomes common knowledge!
Ok. But my english is VERY bad and i can't speak with core-team as freely as at russian. I thinked that in forum it problem will pathed quickly, because there are more peolpes, who can uderstand my stupid english.

[russian, skip if don't understand]
Для наших объясняю, что эти товарищи вообще не вкурили в суть дела. Проблемы в принципе не существует, пропатчить одну строку - минутное дело, доступ автора каждому встречному не дают и сколько недель вы будете перебирать пароль хотя бы длиной в десяток символов. Вообщем ерунда, а не баг.
[/russian]
http://dead-krolik.info - My personal blog
http://joostina-cms.org - Joostina, CMS based ono Joomla

User avatar
Damienov
Joomla! Ace
Joomla! Ace
Posts: 1442
Joined: Fri Aug 19, 2005 12:08 am
Contact:

Re: com_content sql-injection?

Post by Damienov » Fri Oct 07, 2005 3:09 pm

HI, Dead Krolik
I think your english is fine

Thank you for submitting the exploit, and keep them coming. But the next one should be sent to security@joomla.org or contact one of the Core dev directly
Waddaya mean I can't swing my lightsaber in the forum??

User avatar
Websmurf
Joomla! Hero
Joomla! Hero
Posts: 2230
Joined: Fri Aug 19, 2005 2:23 pm
Location: The Netherlands
Contact:

Re: com_content sql-injection?

Post by Websmurf » Fri Oct 07, 2005 3:21 pm

Dead Krolik, there's nothing wrong with your english :)
Adam van Dongen - Developer

- Blocklist, ODT Indexer, EasyFAQ, Easy Guestbook, Easy Gallery, YaNC & Redirect -
http://www.joomla-addons.org - http://www.bandhosting.nl

User avatar
Dead Krolik
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Sat Sep 10, 2005 6:17 am
Location: Petrozavodsk city, Karelia, Russia
Contact:

Re: com_content sql-injection?

Post by Dead Krolik » Fri Oct 07, 2005 4:40 pm

Heh

> there's nothing wrong with your english
Thank you, but i can't uderstand so many text here :( I know only simple words as a student of physics.

>sent to security[]joomla.org or contact ...
I think it's no need, may be somebody (maderator, who edit my post) already mail to developers about this or they read my post.
http://dead-krolik.info - My personal blog
http://joostina-cms.org - Joostina, CMS based ono Joomla

User avatar
stingrey
Joomla! Hero
Joomla! Hero
Posts: 2756
Joined: Mon Aug 15, 2005 4:36 pm
Location: Marikina, Metro Manila, Philippines
Contact:

Re: com_content sql-injection?

Post by stingrey » Mon Oct 10, 2005 4:10 pm

Thank you Dead Krolik yes, we are aware of your Security Threat report.
We were pointed to this forum thread by another user and your email to security@joomla.org has been recieved.


As this affects the 1.0.x Code Base this matter comes under the responsibility of the Stability Team.

Your report is being designated as a Medium Level Threat.


A 1.0.3 Security Release will be made shortly.
This will fix:
- your Medium Level Security Threat and,
- a separate Low Level Security Threat
- other non-critical bugs in 1.0.2


An official annoucement regards to this will be made shortly with exact information regards the release date.


Thank you for your vigilance.
Last edited by stingrey on Mon Oct 10, 2005 4:11 pm, edited 1 time in total.
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me :)
Partner, Business Development & Project Manager, Event Manager, Sports Coach :D

User avatar
Dead Krolik
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Sat Sep 10, 2005 6:17 am
Location: Petrozavodsk city, Karelia, Russia
Contact:

Re: com_content sql-injection?

Post by Dead Krolik » Fri Oct 14, 2005 7:59 pm

Please do not post in public forums.

Why?
Forum name is "SECURITY and perfomance"
Developers don't read my mail (i send mail before 1.0.3 release)(If they read and don't think that it's not bug why they don't answer me)
You delete my post

i must silence? Or may be i must patch our localization and post it as a news at mamboteam.ru?
Last edited by Dead Krolik on Sat Oct 15, 2005 6:44 am, edited 1 time in total.
http://dead-krolik.info - My personal blog
http://joostina-cms.org - Joostina, CMS based ono Joomla

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 18887
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: com_content sql-injection?

Post by infograf768 » Sat Oct 15, 2005 7:02 am

@Deaed Krolik

What can we do if someone posts here the precise recepy to make a bomb using common kitchen products + one specific ingredient?

We would take it off at once. (and you would too I hope ;) )

Same for an exploit. Better send it to devs privately for it to be dealt with ASAP, thus avoiding the publicity on it and usage by badly intentioned people.

Rey answered to you in full in the post above.

Thanks again for helping on this matter and... don't forget to update to 1.0.3 ;)
Jean-Marie Simonet / infograf · http://www.info-graf.fr
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

User avatar
Dead Krolik
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Sat Sep 10, 2005 6:17 am
Location: Petrozavodsk city, Karelia, Russia
Contact:

Re: com_content sql-injection?

Post by Dead Krolik » Sat Oct 15, 2005 7:32 am

>Rey answered to you in full in the post above.
It was first a bug. I found new.
http://dead-krolik.info - My personal blog
http://joostina-cms.org - Joostina, CMS based ono Joomla

User avatar
jomaco1
Joomla! Guru
Joomla! Guru
Posts: 564
Joined: Thu Aug 18, 2005 12:48 am
Location: Muskegon, MI

Re: com_content sql-injection?

Post by jomaco1 » Sat Oct 15, 2005 2:02 pm

Dead Krolik,

It would be nice if everyone were as trustworthy and considerate as yourself, but we have seen too many times where others have taken advantage of information that has been made publicly available and have caused some serious damage to other peoples' sites.

We absolutely appreciate your contributions and hope you will continue to alert the developers when you find a vulnerablility in the code.

What I recommend you do is check the bottom of the forum home page to see what developers and forum admins/moderators are online. Send a Private Message to several of them to make sure someone online sees it. If a core dev is not online at the time, we will make sure they receive the information.

Thanks again!


Locked

Return to “Security - 1.0.x”