SQL Injection Vulnerability

Iconify · Post by **Iconify** » 04 Jul 2010, 21:45

SOS
A new vulnerability has been discovered
http://www.exploit-db.com/exploits/14207/

Iconify · Post by **Iconify** » 05 Jul 2010, 00:12

Really?

Are you sure?

Post by **Jan** » 05 Jul 2010, 14:11

Hi,

it is under supervision.

From the url which is taken as exploit:
http://server/path/index.php?option=com ... es&Itemid=[SQL Injection]

I cannot find any not protected Itemid section in Phoca Gallery:

Categories View:
::view.html.php
- line 155 - JRequest::getVar('Itemid', 0, '', 'int') - protected by integer
:: there is no controller for this view
:: model does not include any itemid request

PhocaGalleryRoute Class:
Both codes:

Code: Select all

$currentItemId    = JRequest::getVar('Itemid', 0, '', 'int');
     
      if(!$items) {
         return JRequest::getVar('Itemid', 0, '', 'int');
      }

are protected by integer.

So for now I see no place where the exploit can be used.

I will do more tests (but I looked at the whole categories view, route helper file and all the libraries).

Jan

Klementz · Post by **Klementz** » 05 Jul 2010, 18:44

Jan wrote: So for now I see no place where the exploit can be used.
I will do more tests (but I looked at the whole categories view, route helper file and all the libraries).

Thank you. I will keep a watch on this thread in case anything turns up.

Iconify · Post by **Iconify** » 06 Jul 2010, 00:14

Nice.
Maybe it is false alarm after all

pach · Post by **pach** » 07 Jul 2010, 09:38

I'll keep an eye on this thread too !
Some news ?

Post by **Jan** » 08 Jul 2010, 20:37

Hi,

no, still didn't find any way how the Itemid can be abused and didn't get any information about successfully using of this exploit.

The exploit is not verified in the database of the exploits.

Jan

wojti · Post by **wojti** » 24 Jul 2010, 17:22

Welcome
Jan see this JSST article on how to prevent SQL injection attacks, with particular emphasis on part Preventing XSS Attacks http://developer.joomla.org/security/ar ... tions.html
Greetings

Post by **Jan** » 26 Jul 2010, 17:12

Hi, maybe you don't understand the previous posts. I know how to protect the code. All Phoca Extensions are using the code which is described in the article. Some of Phoca Extensions are using more - e.g. Phoca Guestbook uses HTML purifier, etc.

The issue is reverse. There was not found any successful use of this exploit and I don't know any such. (means I don't know successful use of this exploit, but I know how to protect the code)

Jan

Xbase · Post by **Xbase** » 27 Jul 2010, 15:01

Hello,
I use phoca gallery v2.7.3 and i have found a post on exploit-db .
i want to know the risk to use this component .
If this Exploit is Verified
and what is the solution to correct this Exploit.

Thx a lot for your answer i am very concerned about the problem

my source : http://www.exploit-db.com/exploits/14207/

Phoca Forum

SQL Injection Vulnerability

SQL Injection Vulnerability

Re: SQL Injection Vulnerability

Re: SQL Injection Vulnerability

Re: SQL Injection Vulnerability

Re: SQL Injection Vulnerability

Re: SQL Injection Vulnerability

Re: SQL Injection Vulnerability

Re: SQL Injection Vulnerability

Re: SQL Injection Vulnerability

Exploit Phoca SQL Injection Vulnerability