Re: exploit in phocadomentation
Posted: 08 Jan 2009, 01:07
Hi, in this exploit the problem with id of an section is described... in fact the id is protected two times...
First: with JRequest Method, it means that id will be transfered to Integer (Number):
$id = JRequest::getVar('id', 0, '', 'int');
so if you want to add e.g. 1+AND+1...and some SQL code to it, everything will be converted to only one number: 1
Second: in sql query is (int) ... so the same as by First...
I have tried it in Perl and got some hash code (every time some other hashcode)... the same I got by every URL address, e.g. index.php?option=com_content&view=article&id=1+AND .... ???
I have contacted Joomla! Security Team too, they didn't found any problem there too.
Some respectable sites which are engaged with security, removed this exploit information from their sites...
But internet and applications in internet will neve be secure, so I am monitoring all activities about this topic... if someone get some similar or important information, please contact me via e-mail (info [at] phoca [dot]cz)
Thank you, Jan
First: with JRequest Method, it means that id will be transfered to Integer (Number):
$id = JRequest::getVar('id', 0, '', 'int');
so if you want to add e.g. 1+AND+1...and some SQL code to it, everything will be converted to only one number: 1
Second: in sql query is (int) ... so the same as by First...
I have tried it in Perl and got some hash code (every time some other hashcode)... the same I got by every URL address, e.g. index.php?option=com_content&view=article&id=1+AND .... ???
I have contacted Joomla! Security Team too, they didn't found any problem there too.
Some respectable sites which are engaged with security, removed this exploit information from their sites...
But internet and applications in internet will neve be secure, so I am monitoring all activities about this topic... if someone get some similar or important information, please contact me via e-mail (info [at] phoca [dot]cz)
Thank you, Jan