I managed to replicate it on my local host, although I don't understand the sql. The sql gets the 1st username and password (as md5) from jos_users and sneakily puts the un and pass into the <?php echo $row->description; ?> that the description column in the database (from table jos_ignitegallery) would usually fill. So then they can try and crack the md5 and hack hack hack. I think my site was breached, but I can't see any changes, I guess they want me to be unaware so I don't release a patch. I tried emailing some people by googling com_ignitegallery, It looks like about one in a dozen sites are already hacked, there are too many sites for me to contact everyone. I changed my site so you have to register to download, so I can notify about any security stuff, and I am going to be anally retentive about security from now on. Dam that was a wake up call, and a waste of a weekend.
On Oct 12, 5:26 pm, "Jochen Daum" <[EMAIL PROTECTED]> wrote: > Hi, > > > > On Sat, Oct 11, 2008 at 12:46 PM, matt_thomson <[EMAIL PROTECTED]> wrote: > > > Hi, usually I wouldn't post on the weekend, but I have got a semi > > urgent issue, if anyone is still working could the give me a hand > > please. > > > I have a Joomla open source component, I think there are about 10,000 > > people using it. I got notified of this page this morning: > >http://milw0rm.org/exploits/6723 > > > This gist of the page is this: > > > Exploit: /index.php? > > option=com_ignitegallery&task=view&gallery=[SQL]&Itemid=18 > > > Example: /index.php?option=com_ignitegallery&task=view&gallery=-1+union > > +select+1,2,concat(username,char(58),password)KHG,4,5,6,7,8,9,10+from > > +jos_users--&Itemid=18 > > I don't quite understand how the query is supposed to work, but possibly it > shows specific userdata that you don't want to show. > > > > > > > And my php code is more or less this: > > > $task = JRequest::getString('task', ''); > > $gallery = JRequest::getString('gallery', ''); > > > $db =& JFactory::getDBO(); > > $query = "SELECT * FROM #__ignitegallery WHERE id = $gallery"; > > $db->setQuery($query); > > $row = $db->loadObject(); > > > <?php echo $row->description; ?> > > <h3><?php echo $row->name; ?></h3> > > > I have used the standard Joomla jRequest class to sanatise my > > variables: > > >http://dev.joomla.org/component/option,com_jd-wiki/Itemid,/id,referen... > > I haven't dug deeply into the input sanitisation process of Joomla there, > but I think you should use getInt(). > > HTH, Jochen --~--~---------~--~----~------------~-------~--~----~ NZ PHP Users Group: http://groups.google.com/group/nzphpug To post, send email to [email protected] To unsubscribe, send email to [EMAIL PROTECTED] -~----------~----~----~----~------~----~------~--~---
