Wednesday, 19 April 2017
  10 Replies
  1.8K Visits
0
Votes
Undo
I am running Joomla 3.6.5 (just upgraded from 3.6.3) with JEvents 3.4.33 (just upgraded from 3.4.17). The system has PHP 5.5.38 and Mysql 5.5.54. Our network admin just informed me that there is a SQL injection with

http://mysite/index.php/events/calendar/eventsbyyear/2012/1*

from which I can get everything about the database. I confirmed that with sqlmap. So I upgraded Joomla and JEvents, as mentioned above, but the problem remains. Any suggestions?
7 years ago
·
#186914
0
Votes
Undo
Hello,

I can't see how we have an sql injection issue on this page given it takes no input by default.

Can you please provide more in-depth detail of the SQL injection. You can post it in the Site Details Tab under notes to keep it private.

Many thanks
Tony

JEvents Club members can get priority forum support at the Support Forum. As well as access to a variety of custom JEvents addons and benefits. Join the JEvents club today!Join the JEvents club today!

7 years ago
·
#186924
0
Votes
Undo
Hi Tony,

Thanks for your response. I put the sqlmap results in the Site Details panel. Unfortunately, the server is no longer accessible from outside because of the risk. Otherwise you can have a direct test.
7 years ago
·
#186941
0
Votes
Undo
Can you try running the payload on the url so:

http://mysite/index.php/events/calendar/eventsbyyear/2012/1?tmpl=component

This will indicate if it is caused by a module on the same page.

Many thanks
Tony

JEvents Club members can get priority forum support at the Support Forum. As well as access to a variety of custom JEvents addons and benefits. Join the JEvents club today!Join the JEvents club today!

7 years ago
·
#186964
0
Votes
Undo
Tested with sqlmap, no special output with that url. I did the following to disable SQL injection

components/com_jevents/router.php
Line 946-950:
// if ($segments[$slugcount] != ":" )
if ($segments[$slugcount] != ":" && JString::strlen($segments[$slugcount]) < 3)

Is there any other places that should be taken care of?

Thanks!
7 years ago
·
#186968
0
Votes
Undo
This appears to be an attempt to exploit the catids variable in the URL - but we specifically force this to be an integer array and I am unable to re-create your results using sqlmap. As Tony - I wonder if the issue could be related to a module on this page on your site?

I have hardened up some of the inputs in this version of JEvents - would you mind testing it and reporting back. Please leave the details on the private 'site details' tab as you have done before - thanks.

JEvents Club members can get priority forum support at the Support Forum. As well as access to a variety of custom JEvents addons and benefits. Join the JEvents club today!

7 years ago
·
#186969
0
Votes
Undo
I will update JEvents later and report to you later. For now, the website is online again (with minor revision in router.php) , could you please have a test (see Site Details) to see if any other modules could have caused the problem?

Thanks!
7 years ago
·
#186970
0
Votes
Undo
The change you made to the router will stop the ability to filter by multiple categories so what changed was different to this.

It would be very helpful if I could add a couple of diagnostic messages to your code to see where this code is being called since I can't recreate the issue on my server

Please let me know if the code changes resolve the issue.

JEvents Club members can get priority forum support at the Support Forum. As well as access to a variety of custom JEvents addons and benefits. Join the JEvents club today!

7 years ago
·
#186989
0
Votes
Undo
I updated the package to 3.4.34 that you offered, but it is still injectable. So I still constrain the length of the arguments. What else do you want to test? Please send me files to be replaced with. But our admin ask us to keep the site not injectable all the time.
7 years ago
·
#187004
0
Votes
Undo
I could not see how this is possible in JEvents and eventually spotted the problem. I'll send you private message with the fix (see envelope icon at the top of this page).

JEvents Club members can get priority forum support at the Support Forum. As well as access to a variety of custom JEvents addons and benefits. Join the JEvents club today!

7 years ago
·
#187046
0
Votes
Undo
Problem solved. Thanks!
  • Page :
  • 1
There are no replies made for this post yet.