exploit in phocadomentation

Phoca Documentation - creating documentation in Joomla! CMS
User avatar
Jan
Phoca Hero
Phoca Hero
Posts: 48402
Joined: 10 Nov 2007, 18:23
Location: Czech Republic
Contact:

Re: exploit in phocadomentation

Post by Jan »

Hi, in this exploit the problem with id of an section is described... in fact the id is protected two times...

First: with JRequest Method, it means that id will be transfered to Integer (Number):
$id = JRequest::getVar('id', 0, '', 'int');
so if you want to add e.g. 1+AND+1...and some SQL code to it, everything will be converted to only one number: 1
Second: in sql query is (int) ... so the same as by First...

I have tried it in Perl and got some hash code (every time some other hashcode)... the same I got by every URL address, e.g. index.php?option=com_content&view=article&id=1+AND .... ???

I have contacted Joomla! Security Team too, they didn't found any problem there too.
Some respectable sites which are engaged with security, removed this exploit information from their sites...

But internet and applications in internet will neve be secure, so I am monitoring all activities about this topic... if someone get some similar or important information, please contact me via e-mail (info [at] phoca [dot]cz)

Thank you, Jan
If you find Phoca extensions useful, please support the project