Hi, usually I wouldn't post on the weekend, but I have got a semi urgent issue, if anyone is still working could the give me a hand please.
I have a Joomla open source component, I think there are about 10,000 people using it. I got notified of this page this morning: http://milw0rm.org/exploits/6723 This gist of the page is this: Exploit: /index.php? option=com_ignitegallery&task=view&gallery=[SQL]&Itemid=18 Example: /index.php?option=com_ignitegallery&task=view&gallery=-1+union +select+1,2,concat(username,char(58),password)KHG,4,5,6,7,8,9,10+from +jos_users--&Itemid=18 And my php code is more or less this: $task = JRequest::getString('task', ''); $gallery = JRequest::getString('gallery', ''); $db =& JFactory::getDBO(); $query = "SELECT * FROM #__ignitegallery WHERE id = $gallery"; $db->setQuery($query); $row = $db->loadObject(); <?php echo $row->description; ?> <h3><?php echo $row->name; ?></h3> I have used the standard Joomla jRequest class to sanatise my variables: http://dev.joomla.org/component/option,com_jd-wiki/Itemid,/id,references:joomla.framework:environment:jrequest/ It seems the hacker thinks he has found a way around it. Does anyone know what the sql injection is supposed to do, I have tried it on a site and it does nothing, but I may not be doing it right. I dont understand sql to this level. Thanks, Matt. --~--~---------~--~----~------------~-------~--~----~ NZ PHP Users Group: http://groups.google.com/group/nzphpug To post, send email to [email protected] To unsubscribe, send email to [EMAIL PROTECTED] -~----------~----~----~----~------~----~------~--~---
