Hello,

I can't see how we have an sql injection issue on this page given it takes no input by default.

Can you please provide more in-depth detail of the SQL injection. You can post it in the Site Details Tab under notes to keep it private.

Many thanks
Tony

Hi Tony,

Thanks for your response. I put the sqlmap results in the Site Details panel. Unfortunately, the server is no longer accessible from outside because of the risk. Otherwise you can have a direct test.

Can you try running the payload on the url so:

http://mysite/index.php/events/calendar/eventsbyyear/2012/1?tmpl=component

This will indicate if it is caused by a module on the same page.

Many thanks
Tony

Tested with sqlmap, no special output with that url. I did the following to disable SQL injection

components/com_jevents/router.php
Line 946-950：
// if ($segments[$slugcount] != ":" )
if ($segments[$slugcount] != ":" && JString::strlen($segments[$slugcount]) < 3)

Is there any other places that should be taken care of?

Thanks!

This appears to be an attempt to exploit the catids variable in the URL - but we specifically force this to be an integer array and I am unable to re-create your results using sqlmap. As Tony - I wonder if the issue could be related to a module on this page on your site?

I have hardened up some of the inputs in this version of JEvents - would you mind testing it and reporting back. Please leave the details on the private 'site details' tab as you have done before - thanks.

I will update JEvents later and report to you later. For now, the website is online again (with minor revision in router.php) , could you please have a test (see Site Details) to see if any other modules could have caused the problem?

Thanks!

The change you made to the router will stop the ability to filter by multiple categories so what changed was different to this.

It would be very helpful if I could add a couple of diagnostic messages to your code to see where this code is being called since I can't recreate the issue on my server

Please let me know if the code changes resolve the issue.

I updated the package to 3.4.34 that you offered, but it is still injectable. So I still constrain the length of the arguments. What else do you want to test? Please send me files to be replaced with. But our admin ask us to keep the site not injectable all the time.

I could not see how this is possible in JEvents and eventually spotted the problem. I'll send you private message with the fix (see envelope icon at the top of this page).

Problem solved. Thanks!