Hi,
On Sat, Oct 11, 2008 at 12:46 PM, matt_thomson <[EMAIL PROTECTED]> wrote: > > Hi, usually I wouldn't post on the weekend, but I have got a semi > urgent issue, if anyone is still working could the give me a hand > please. > > I have a Joomla open source component, I think there are about 10,000 > people using it. I got notified of this page this morning: > http://milw0rm.org/exploits/6723 > > This gist of the page is this: > > Exploit: /index.php? > option=com_ignitegallery&task=view&gallery=[SQL]&Itemid=18 > > Example: /index.php?option=com_ignitegallery&task=view&gallery=-1+union > +select+1,2,concat(username,char(58),password)KHG,4,5,6,7,8,9,10+from > +jos_users--&Itemid=18 > I don't quite understand how the query is supposed to work, but possibly it shows specific userdata that you don't want to show. > > And my php code is more or less this: > > $task = JRequest::getString('task', ''); > $gallery = JRequest::getString('gallery', ''); > > $db =& JFactory::getDBO(); > $query = "SELECT * FROM #__ignitegallery WHERE id = $gallery"; > $db->setQuery($query); > $row = $db->loadObject(); > > <?php echo $row->description; ?> > <h3><?php echo $row->name; ?></h3> > > I have used the standard Joomla jRequest class to sanatise my > variables: > > http://dev.joomla.org/component/option,com_jd-wiki/Itemid,/id,references:joomla.framework:environment:jrequest/ > I haven't dug deeply into the input sanitisation process of Joomla there, but I think you should use getInt(). HTH, Jochen --~--~---------~--~----~------------~-------~--~----~ NZ PHP Users Group: http://groups.google.com/group/nzphpug To post, send email to [email protected] To unsubscribe, send email to [EMAIL PROTECTED] -~----------~----~----~----~------~----~------~--~---
