com_content sql-injection?

[Dead Krolik]

Edited by moderator, proof of concept exploits should not be posted in the forums without first notification of the developers.

[Damienov]

its confirmed
- Basic install of Joomla
- User as Author
this will display the encrypted MD5 password

please submit this at the bug tracker or send an email to [email protected]

[PhilTaylor-Prazgod]

Thank you for finding this - however posting about it in public forum is NOT the right way to protect yourself or to protect others! You should have alerted the core team first.

However, for those who wish to patch their installation before the core team are online (After the awards they just won!) you can edit

/component/com_content/content.php  Line: 1223 and change it to look like this:

Code: Select all

	. "\n WHERE id = ".intval($sectionid)

and that will fix the problem for now

[Damienov]

thanks for the quick fix Phil 

[spacemonkey]

Thanks Phil for seeing this, this post comes at a horrible time as most of us are traveling or offline with the summit and expo happening in the UK.

Again, I'd like to point out that any exploit code found in Joomla! needs to be reported to the developers, so that they can get a patch out before the exploit becomes common knowledge!

Please. please do the right thing and let us know first, before telling the world, ok? You can PM me, email me, whatever you want, just let us know before going public please!

[PhilTaylor-Prazgod]

thanks for the quick fix Phil 

On a brighter note - 39 Hours until my wedding  :P

[PhilTaylor-Prazgod]

actually the real reason for this is an oversight at the top of the file:

Line 20+

Code: Select all

$id			= intval( mosGetParam( $_REQUEST, 'id', 0 ) );
$sectionid 	= mosGetParam( $_REQUEST, 'sectionid', 0 );
$pop 		= intval( mosGetParam( $_REQUEST, 'pop', 0 ) );
$id 		= intval( mosGetParam( $_REQUEST, 'id', 0 ) );
$limit 		= intval( mosGetParam( $_REQUEST, 'limit', '' ) );
$order 		= mosGetParam( $_REQUEST, 'order', '' );
$limitstart = intval( mosGetParam( $_REQUEST, 'limitstart', 0 ) );

Note there are two lines for $id - this should read:

Code: Select all

$id			= intval( mosGetParam( $_REQUEST, 'id', 0 ) );
$sectionid 	= mosGetParam( $_REQUEST, 'sectionid', 0 );
$pop 		= intval( mosGetParam( $_REQUEST, 'pop', 0 ) );
$sectionid 		= intval( mosGetParam( $_REQUEST, 'sectionid', 0 ) );
$limit 		= intval( mosGetParam( $_REQUEST, 'limit', '' ) );
$order 		= mosGetParam( $_REQUEST, 'order', '' );
$limitstart = intval( mosGetParam( $_REQUEST, 'limitstart', 0 ) );

and then there is no need for my last fix posted above.

[Damienov]

thanks for the quick fix Phil 

On a brighter note - 39 Hours until my wedding  :P

yes, i've read your post in the general discussion forum, congrats!
just one question. What are you doing here? shouldnt you prepare or having a bachelor party or something  :P

@spacemonkey
I'm realy sorry about this, but I dont have the permission to edit the post

[ProjectMayhem]

so if our sites don't have users logging in we should be ok right?? or should we do this right away.  All of my sites are really static meaning I don't have any members logging in or anyone else editing the content. thanks

[user deleted]

Thanks Phil, for letting us know about this.

this post comes at a horrible time as most of us are traveling or offline with the summit and expo happening in the UK...

I'm still here, keeping an eye out  ;)

[PhilTaylor-Prazgod]

Grr - I posted this as a reply instead of amending my last post. 

THE FOLLOWING POST HAS BEEN AMENDED AND OVERRULES THE POST MADE ABOVE

actually the real reason for this is an oversight at the top of the file:

Line 20+

Code: Select all

$id			= intval( mosGetParam( $_REQUEST, 'id', 0 ) );
$sectionid 	= mosGetParam( $_REQUEST, 'sectionid', 0 );
$pop 		= intval( mosGetParam( $_REQUEST, 'pop', 0 ) );
$id 		= intval( mosGetParam( $_REQUEST, 'id', 0 ) );
$limit 		= intval( mosGetParam( $_REQUEST, 'limit', '' ) );
$order 		= mosGetParam( $_REQUEST, 'order', '' );
$limitstart = intval( mosGetParam( $_REQUEST, 'limitstart', 0 ) );

Note there are two lines for $id and no intval for sectionid - this should read:

Code: Select all

$id			= intval( mosGetParam( $_REQUEST, 'id', 0 ) );
$sectionid 	= intval(mosGetParam( $_REQUEST, 'sectionid', 0 ) );
$pop 		= intval( mosGetParam( $_REQUEST, 'pop', 0 ) );

$limit 		= intval( mosGetParam( $_REQUEST, 'limit', '' ) );
$order 		= mosGetParam( $_REQUEST, 'order', '' );
$limitstart = intval( mosGetParam( $_REQUEST, 'limitstart', 0 ) );

and then there is no need for my last fix posted above.

[PhilTaylor-Prazgod]

so if our sites don't have users logging in we should be ok right?? or should we do this right away.  All of my sites are really static meaning I don't have any members logging in or anyone else editing the content. thanks

You should always apply patches such as this just to be on the safe side.  If some one guesses one of your login names then he/she (probably he) could use the exploit.  However as you say its not going to affect you oo much at present

[Damienov]

so if our sites don't have users logging in we should be ok right?? or should we do this right away.  All of my sites are really static meaning I don't have any members logging in or anyone else editing the content. thanks

I thinks its quite safe for your site, but applying the fix is always a good choice

[ProjectMayhem]

thanks..  i appreciate all the help.  I'll wait until I get home then. 

oh yeah and Phil.  congrats man..  I've been married over a year now. Have fun 

[Dead Krolik]

>Edited by moderator, proof of concept exploits should not be posted in the forums without first notification of the developers.
Sorry. I posted it because i think it's not critical:

1)You must be Author
2)MySQL ver 4.x
3)You must know table prefix
4)You can get only hash

Patch is very easy, just "settype($sectionid,'integer')" at the top of the file.

>Again, I'd like to point out that any exploit code found in Joomla! needs to be reported to the developers, so that they can get a patch out before the exploit becomes common knowledge!
Ok. But my english is VERY bad and i can't speak with core-team as freely as at russian. I thinked that in forum it problem will pathed quickly, because there are more peolpes, who can uderstand my stupid english.

[russian, skip if don't understand]
Для наших объясняю, что эти товарищи вообще не вкурили в суть дела. Проблемы в принципе не существует, пропатчить одну строку - минутное дело, доступ автора каждому встречному не дают и сколько недель вы будете перебирать пароль хотя бы длиной в десяток символов. Вообщем ерунда, а не баг.
[/russian]

[Damienov]

HI, Dead Krolik
I think your english is fine

Thank you for submitting the exploit, and keep them coming. But the next one should be sent to [email protected] or contact one of the Core dev directly

[Websmurf]

Dead Krolik, there's nothing wrong with your english

[Dead Krolik]

Heh

> there's nothing wrong with your english
Thank you, but i can't uderstand so many text here I know only simple words as a student of physics.

>sent to security[]joomla.org or contact ...
I think it's no need, may be somebody (maderator, who edit my post) already mail to developers about this or they read my post.

[stingrey]

Thank you Dead Krolik yes, we are aware of your Security Threat report.
We were pointed to this forum thread by another user and your email to [email protected] has been recieved.


As this affects the 1.0.x Code Base this matter comes under the responsibility of the Stability Team.

Your report is being designated as a Medium Level Threat.


A 1.0.3 Security Release will be made shortly.
This will fix:
- your Medium Level Security Threat and,
- a separate Low Level Security Threat. 
- other non-critical bugs in 1.0.2


An official annoucement regards to this will be made shortly with exact information regards the release date.


Thank you for your vigilance.

[Dead Krolik]

Please do not post in public forums.

Why?
Forum name is "SECURITY and perfomance"
Developers don't read my mail (i send mail before 1.0.3 release)(If they read and don't think that it's not bug why they don't answer me)
You delete my post

i must silence? Or may be i must patch our localization and post it as a news at mamboteam.ru?

[infograf768]

@Deaed Krolik

What can we do if someone posts here the precise recepy to make a bomb using common kitchen products + one specific ingredient?

We would take it off at once. (and you would too I hope )

Same for an exploit. Better send it to devs privately for it to be dealt with ASAP, thus avoiding the publicity on it and usage by badly intentioned people.

Rey answered to you in full in the post above.

Thanks again for helping on this matter and... don't forget to update to 1.0.3

[Dead Krolik]

>Rey answered to you in full in the post above.
It was first a bug. I found new.

[jomaco1]

Dead Krolik,

It would be nice if everyone were as trustworthy and considerate as yourself, but we have seen too many times where others have taken advantage of information that has been made publicly available and have caused some serious damage to other peoples' sites.

We absolutely appreciate your contributions and hope you will continue to alert the developers when you find a vulnerablility in the code.

What I recommend you do is check the bottom of the forum home page to see what developers and forum admins/moderators are online. Send a Private Message to several of them to make sure someone online sees it. If a core dev is not online at the time, we will make sure they receive the information.

Thanks again!