com_content sql-injection?
Moderator: General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
- Dead Krolik
- Joomla! Apprentice
- Posts: 11
- Joined: Sat Sep 10, 2005 6:17 am
- Location: Petrozavodsk city, Karelia, Russia
- Contact:
com_content sql-injection?
Edited by moderator, proof of concept exploits should not be posted in the forums without first notification of the developers.
Last edited by rhuk on Thu Oct 06, 2005 5:52 pm, edited 1 time in total.
- Damienov
- Joomla! Ace
- Posts: 1437
- Joined: Fri Aug 19, 2005 12:08 am
- Contact:
Re: com_content sql-injection?
its confirmed
- Basic install of Joomla
- User as Author
this will display the encrypted MD5 password
please submit this at the bug tracker or send an email to [email protected]
- Basic install of Joomla
- User as Author
this will display the encrypted MD5 password
please submit this at the bug tracker or send an email to [email protected]
Waddaya mean I can't swing my lightsaber in the forum??
- PhilTaylor-Prazgod
- Joomla! Ace
- Posts: 1402
- Joined: Sat Aug 20, 2005 12:32 pm
- Location: Jersey, Channel Islands
- Contact:
Re: com_content sql-injection?
Thank you for finding this - however posting about it in public forum is NOT the right way to protect yourself or to protect others! You should have alerted the core team first.
However, for those who wish to patch their installation before the core team are online (After the awards they just won!) you can edit
/component/com_content/content.php Line: 1223 and change it to look like this:
and that will fix the problem for now
However, for those who wish to patch their installation before the core team are online (After the awards they just won!) you can edit
/component/com_content/content.php Line: 1223 and change it to look like this:
Code: Select all
. "\n WHERE id = ".intval($sectionid)
Phil Taylor
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/
- Damienov
- Joomla! Ace
- Posts: 1437
- Joined: Fri Aug 19, 2005 12:08 am
- Contact:
Re: com_content sql-injection?
thanks for the quick fix Phil
Waddaya mean I can't swing my lightsaber in the forum??
- spacemonkey
- Joomla! Enthusiast
- Posts: 182
- Joined: Fri Aug 12, 2005 7:50 pm
- Location: Turin, Italy
- Contact:
Re: com_content sql-injection?
Thanks Phil for seeing this, this post comes at a horrible time as most of us are traveling or offline with the summit and expo happening in the UK.
Again, I'd like to point out that any exploit code found in Joomla! needs to be reported to the developers, so that they can get a patch out before the exploit becomes common knowledge!
Please. please do the right thing and let us know first, before telling the world, ok? You can PM me, email me, whatever you want, just let us know before going public please!
Again, I'd like to point out that any exploit code found in Joomla! needs to be reported to the developers, so that they can get a patch out before the exploit becomes common knowledge!
Please. please do the right thing and let us know first, before telling the world, ok? You can PM me, email me, whatever you want, just let us know before going public please!
- PhilTaylor-Prazgod
- Joomla! Ace
- Posts: 1402
- Joined: Sat Aug 20, 2005 12:32 pm
- Location: Jersey, Channel Islands
- Contact:
Re: com_content sql-injection?
On a brighter note - 39 Hours until my wedding :PDamienov wrote: thanks for the quick fix Phil
Phil Taylor
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/
- PhilTaylor-Prazgod
- Joomla! Ace
- Posts: 1402
- Joined: Sat Aug 20, 2005 12:32 pm
- Location: Jersey, Channel Islands
- Contact:
Re: com_content sql-injection?
actually the real reason for this is an oversight at the top of the file:
Line 20+
Note there are two lines for $id - this should read:
and then there is no need for my last fix posted above.
Line 20+
Code: Select all
$id = intval( mosGetParam( $_REQUEST, 'id', 0 ) );
$sectionid = mosGetParam( $_REQUEST, 'sectionid', 0 );
$pop = intval( mosGetParam( $_REQUEST, 'pop', 0 ) );
$id = intval( mosGetParam( $_REQUEST, 'id', 0 ) );
$limit = intval( mosGetParam( $_REQUEST, 'limit', '' ) );
$order = mosGetParam( $_REQUEST, 'order', '' );
$limitstart = intval( mosGetParam( $_REQUEST, 'limitstart', 0 ) );
Code: Select all
$id = intval( mosGetParam( $_REQUEST, 'id', 0 ) );
$sectionid = mosGetParam( $_REQUEST, 'sectionid', 0 );
$pop = intval( mosGetParam( $_REQUEST, 'pop', 0 ) );
$sectionid = intval( mosGetParam( $_REQUEST, 'sectionid', 0 ) );
$limit = intval( mosGetParam( $_REQUEST, 'limit', '' ) );
$order = mosGetParam( $_REQUEST, 'order', '' );
$limitstart = intval( mosGetParam( $_REQUEST, 'limitstart', 0 ) );
Phil Taylor
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/
- Damienov
- Joomla! Ace
- Posts: 1437
- Joined: Fri Aug 19, 2005 12:08 am
- Contact:
Re: com_content sql-injection?
yes, i've read your post in the general discussion forum, congrats!PhilTaylor-Prazgod wrote:On a brighter note - 39 Hours until my wedding :PDamienov wrote: thanks for the quick fix Phil
just one question. What are you doing here? shouldnt you prepare or having a bachelor party or something :P
@spacemonkey
I'm realy sorry about this, but I dont have the permission to edit the post
Waddaya mean I can't swing my lightsaber in the forum??
- ProjectMayhem
- Joomla! Intern
- Posts: 70
- Joined: Thu Aug 18, 2005 3:01 pm
- Contact:
Re: com_content sql-injection?
so if our sites don't have users logging in we should be ok right?? or should we do this right away. All of my sites are really static meaning I don't have any members logging in or anyone else editing the content. thanks
You are not your job. You are not how much money you have in the bank. You are not the car you drive. You are not the contents of your wallet. You are not your f!@#ing khakis. We are the all-singing, all-dancing crap of the world.
Re: com_content sql-injection?
Thanks Phil, for letting us know about this.
I'm still here, keeping an eye out ;)this post comes at a horrible time as most of us are traveling or offline with the summit and expo happening in the UK...
- PhilTaylor-Prazgod
- Joomla! Ace
- Posts: 1402
- Joined: Sat Aug 20, 2005 12:32 pm
- Location: Jersey, Channel Islands
- Contact:
Re: com_content sql-injection?
Grr - I posted this as a reply instead of amending my last post.
THE FOLLOWING POST HAS BEEN AMENDED AND OVERRULES THE POST MADE ABOVE
THE FOLLOWING POST HAS BEEN AMENDED AND OVERRULES THE POST MADE ABOVE
PhilTaylor-Prazgod wrote: actually the real reason for this is an oversight at the top of the file:
Line 20+Note there are two lines for $id and no intval for sectionid - this should read:Code: Select all
$id = intval( mosGetParam( $_REQUEST, 'id', 0 ) ); $sectionid = mosGetParam( $_REQUEST, 'sectionid', 0 ); $pop = intval( mosGetParam( $_REQUEST, 'pop', 0 ) ); $id = intval( mosGetParam( $_REQUEST, 'id', 0 ) ); $limit = intval( mosGetParam( $_REQUEST, 'limit', '' ) ); $order = mosGetParam( $_REQUEST, 'order', '' ); $limitstart = intval( mosGetParam( $_REQUEST, 'limitstart', 0 ) );
and then there is no need for my last fix posted above.Code: Select all
$id = intval( mosGetParam( $_REQUEST, 'id', 0 ) ); $sectionid = intval(mosGetParam( $_REQUEST, 'sectionid', 0 ) ); $pop = intval( mosGetParam( $_REQUEST, 'pop', 0 ) ); $limit = intval( mosGetParam( $_REQUEST, 'limit', '' ) ); $order = mosGetParam( $_REQUEST, 'order', '' ); $limitstart = intval( mosGetParam( $_REQUEST, 'limitstart', 0 ) );
Last edited by PhilTaylor-Prazgod on Thu Oct 06, 2005 6:17 pm, edited 1 time in total.
Phil Taylor
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/
- PhilTaylor-Prazgod
- Joomla! Ace
- Posts: 1402
- Joined: Sat Aug 20, 2005 12:32 pm
- Location: Jersey, Channel Islands
- Contact:
Re: com_content sql-injection?
You should always apply patches such as this just to be on the safe side. If some one guesses one of your login names then he/she (probably he) could use the exploit. However as you say its not going to affect you oo much at presentProjectMayhem wrote: so if our sites don't have users logging in we should be ok right?? or should we do this right away. All of my sites are really static meaning I don't have any members logging in or anyone else editing the content. thanks
Phil Taylor
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/
- Damienov
- Joomla! Ace
- Posts: 1437
- Joined: Fri Aug 19, 2005 12:08 am
- Contact:
Re: com_content sql-injection?
I thinks its quite safe for your site, but applying the fix is always a good choiceProjectMayhem wrote: so if our sites don't have users logging in we should be ok right?? or should we do this right away. All of my sites are really static meaning I don't have any members logging in or anyone else editing the content. thanks
Waddaya mean I can't swing my lightsaber in the forum??
- ProjectMayhem
- Joomla! Intern
- Posts: 70
- Joined: Thu Aug 18, 2005 3:01 pm
- Contact:
Re: com_content sql-injection?
thanks.. i appreciate all the help. I'll wait until I get home then.
oh yeah and Phil. congrats man.. I've been married over a year now. Have fun
oh yeah and Phil. congrats man.. I've been married over a year now. Have fun
You are not your job. You are not how much money you have in the bank. You are not the car you drive. You are not the contents of your wallet. You are not your f!@#ing khakis. We are the all-singing, all-dancing crap of the world.
- Dead Krolik
- Joomla! Apprentice
- Posts: 11
- Joined: Sat Sep 10, 2005 6:17 am
- Location: Petrozavodsk city, Karelia, Russia
- Contact:
Re: com_content sql-injection?
>Edited by moderator, proof of concept exploits should not be posted in the forums without first notification of the developers.
Sorry. I posted it because i think it's not critical:
1)You must be Author
2)MySQL ver 4.x
3)You must know table prefix
4)You can get only hash
Patch is very easy, just "settype($sectionid,'integer')" at the top of the file.
>Again, I'd like to point out that any exploit code found in Joomla! needs to be reported to the developers, so that they can get a patch out before the exploit becomes common knowledge!
Ok. But my english is VERY bad and i can't speak with core-team as freely as at russian. I thinked that in forum it problem will pathed quickly, because there are more peolpes, who can uderstand my stupid english.
[russian, skip if don't understand]
Для наших объясняю, что эти товарищи вообще не вкурили в суть дела. Проблемы в принципе не существует, пропатчить одну строку - минутное дело, доступ автора каждому встречному не дают и сколько недель вы будете перебирать пароль хотя бы длиной в десяток символов. Вообщем ерунда, а не баг.
[/russian]
Sorry. I posted it because i think it's not critical:
1)You must be Author
2)MySQL ver 4.x
3)You must know table prefix
4)You can get only hash
Patch is very easy, just "settype($sectionid,'integer')" at the top of the file.
>Again, I'd like to point out that any exploit code found in Joomla! needs to be reported to the developers, so that they can get a patch out before the exploit becomes common knowledge!
Ok. But my english is VERY bad and i can't speak with core-team as freely as at russian. I thinked that in forum it problem will pathed quickly, because there are more peolpes, who can uderstand my stupid english.
[russian, skip if don't understand]
Для наших объясняю, что эти товарищи вообще не вкурили в суть дела. Проблемы в принципе не существует, пропатчить одну строку - минутное дело, доступ автора каждому встречному не дают и сколько недель вы будете перебирать пароль хотя бы длиной в десяток символов. Вообщем ерунда, а не баг.
[/russian]
- Damienov
- Joomla! Ace
- Posts: 1437
- Joined: Fri Aug 19, 2005 12:08 am
- Contact:
Re: com_content sql-injection?
HI, Dead Krolik
I think your english is fine
Thank you for submitting the exploit, and keep them coming. But the next one should be sent to [email protected] or contact one of the Core dev directly
I think your english is fine
Thank you for submitting the exploit, and keep them coming. But the next one should be sent to [email protected] or contact one of the Core dev directly
Waddaya mean I can't swing my lightsaber in the forum??
- Websmurf
- Joomla! Hero
- Posts: 2230
- Joined: Fri Aug 19, 2005 2:23 pm
- Location: The Netherlands
- Contact:
Re: com_content sql-injection?
Dead Krolik, there's nothing wrong with your english
Adam van Dongen - Developer
- Blocklist, ODT Indexer, EasyFAQ, Easy Guestbook, Easy Gallery, YaNC & Redirect -
http://www.joomla-addons.org - http://www.bandhosting.nl
- Blocklist, ODT Indexer, EasyFAQ, Easy Guestbook, Easy Gallery, YaNC & Redirect -
http://www.joomla-addons.org - http://www.bandhosting.nl
- Dead Krolik
- Joomla! Apprentice
- Posts: 11
- Joined: Sat Sep 10, 2005 6:17 am
- Location: Petrozavodsk city, Karelia, Russia
- Contact:
Re: com_content sql-injection?
Heh
> there's nothing wrong with your english
Thank you, but i can't uderstand so many text here I know only simple words as a student of physics.
>sent to security[]joomla.org or contact ...
I think it's no need, may be somebody (maderator, who edit my post) already mail to developers about this or they read my post.
> there's nothing wrong with your english
Thank you, but i can't uderstand so many text here I know only simple words as a student of physics.
>sent to security[]joomla.org or contact ...
I think it's no need, may be somebody (maderator, who edit my post) already mail to developers about this or they read my post.
- stingrey
- Joomla! Hero
- Posts: 2756
- Joined: Mon Aug 15, 2005 4:36 pm
- Location: Marikina, Metro Manila, Philippines
- Contact:
Re: com_content sql-injection?
Thank you Dead Krolik yes, we are aware of your Security Threat report.
We were pointed to this forum thread by another user and your email to [email protected] has been recieved.
As this affects the 1.0.x Code Base this matter comes under the responsibility of the Stability Team.
Your report is being designated as a Medium Level Threat.
A 1.0.3 Security Release will be made shortly.
This will fix:
- your Medium Level Security Threat and,
- a separate Low Level Security Threat.
- other non-critical bugs in 1.0.2
An official annoucement regards to this will be made shortly with exact information regards the release date.
Thank you for your vigilance.
We were pointed to this forum thread by another user and your email to [email protected] has been recieved.
As this affects the 1.0.x Code Base this matter comes under the responsibility of the Stability Team.
Your report is being designated as a Medium Level Threat.
A 1.0.3 Security Release will be made shortly.
This will fix:
- your Medium Level Security Threat and,
- a separate Low Level Security Threat.
- other non-critical bugs in 1.0.2
An official annoucement regards to this will be made shortly with exact information regards the release date.
Thank you for your vigilance.
Last edited by stingrey on Mon Oct 10, 2005 4:11 pm, edited 1 time in total.
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me
Partner, Business Development & Project Manager, Event Manager, Sports Coach
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me
Partner, Business Development & Project Manager, Event Manager, Sports Coach
- Dead Krolik
- Joomla! Apprentice
- Posts: 11
- Joined: Sat Sep 10, 2005 6:17 am
- Location: Petrozavodsk city, Karelia, Russia
- Contact:
Re: com_content sql-injection?
Please do not post in public forums.
Why?
Forum name is "SECURITY and perfomance"
Developers don't read my mail (i send mail before 1.0.3 release)(If they read and don't think that it's not bug why they don't answer me)
You delete my post
i must silence? Or may be i must patch our localization and post it as a news at mamboteam.ru?
Why?
Forum name is "SECURITY and perfomance"
Developers don't read my mail (i send mail before 1.0.3 release)(If they read and don't think that it's not bug why they don't answer me)
You delete my post
i must silence? Or may be i must patch our localization and post it as a news at mamboteam.ru?
Last edited by Dead Krolik on Sat Oct 15, 2005 6:44 am, edited 1 time in total.
- infograf768
- Joomla! Master
- Posts: 19133
- Joined: Fri Aug 12, 2005 3:47 pm
- Location: **Translation Matters**
Re: com_content sql-injection?
@Deaed Krolik
What can we do if someone posts here the precise recepy to make a bomb using common kitchen products + one specific ingredient?
We would take it off at once. (and you would too I hope )
Same for an exploit. Better send it to devs privately for it to be dealt with ASAP, thus avoiding the publicity on it and usage by badly intentioned people.
Rey answered to you in full in the post above.
Thanks again for helping on this matter and... don't forget to update to 1.0.3
What can we do if someone posts here the precise recepy to make a bomb using common kitchen products + one specific ingredient?
We would take it off at once. (and you would too I hope )
Same for an exploit. Better send it to devs privately for it to be dealt with ASAP, thus avoiding the publicity on it and usage by badly intentioned people.
Rey answered to you in full in the post above.
Thanks again for helping on this matter and... don't forget to update to 1.0.3
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
- Dead Krolik
- Joomla! Apprentice
- Posts: 11
- Joined: Sat Sep 10, 2005 6:17 am
- Location: Petrozavodsk city, Karelia, Russia
- Contact:
Re: com_content sql-injection?
>Rey answered to you in full in the post above.
It was first a bug. I found new.
It was first a bug. I found new.
- jomaco1
- Joomla! Guru
- Posts: 564
- Joined: Thu Aug 18, 2005 12:48 am
- Location: Muskegon, MI
Re: com_content sql-injection?
Dead Krolik,
It would be nice if everyone were as trustworthy and considerate as yourself, but we have seen too many times where others have taken advantage of information that has been made publicly available and have caused some serious damage to other peoples' sites.
We absolutely appreciate your contributions and hope you will continue to alert the developers when you find a vulnerablility in the code.
What I recommend you do is check the bottom of the forum home page to see what developers and forum admins/moderators are online. Send a Private Message to several of them to make sure someone online sees it. If a core dev is not online at the time, we will make sure they receive the information.
Thanks again!
It would be nice if everyone were as trustworthy and considerate as yourself, but we have seen too many times where others have taken advantage of information that has been made publicly available and have caused some serious damage to other peoples' sites.
We absolutely appreciate your contributions and hope you will continue to alert the developers when you find a vulnerablility in the code.
What I recommend you do is check the bottom of the forum home page to see what developers and forum admins/moderators are online. Send a Private Message to several of them to make sure someone online sees it. If a core dev is not online at the time, we will make sure they receive the information.
Thanks again!