SQL injection in Joomla! 1.5.x
I stumbled upon a rather serious security hole of this CMS, and due to the great popularity of this system I decided to post it here.
Roughly speaking, it allows changing the administrator password due to insufficient filtering of input parameters.
Check whether your site is vulnerable by clicking on the link.
site.name / index.php? option = com_user & view = reset & layout = confirm
and typing a single quote in the token field.
Bindable code:
As you can see, you need to add escaping quotes in $ db-> Quote ($ token).
')
Once again I was convinced of the low security of Joomla sites and its mods ... unfortunately ..
Roughly speaking, it allows changing the administrator password due to insufficient filtering of input parameters.
Check whether your site is vulnerable by clicking on the link.
site.name / index.php? option = com_user & view = reset & layout = confirm
and typing a single quote in the token field.
Bindable code:
File : /components/com_user/controller.php
#####################################################################################
Line : 379-399
function confirmreset()
{
// Check for request forgeries
JRequest::checkToken() or die( 'Invalid Token' );
// Get the input
$token = JRequest::getVar('token', null, 'post', 'alnum');
// Get the model
$model = &$this->getModel('Reset');
// Verify the token
if ($model->confirmReset($token) === false)
{
$message = JText::sprintf('PASSWORD_RESET_CONFIRMATION_FAILED', $model->getError());
$this->setRedirect('index.php?option=com_user&view=reset&layout=confirm', $message);
return false;
}
$this->setRedirect('index.php?option=com_user&view=reset&layout=complete');
}
#####################################################################################
File : /components/com_user/models/reset.php
Line: 111-130
function confirmReset($token)
{
global $mainframe;
$db = &JFactory::getDBO();
$db->setQuery('SELECT id FROM #__users WHERE block = 0 AND activation = '.$db->Quote($token));
// Verify the token
if (!($id = $db->loadResult()))
{
$this->setError(JText::_('INVALID_TOKEN'));
return false;
}
// Push the token and user id into the session
$mainframe->setUserState($this->_namespace.'token', $token);
$mainframe->setUserState($this->_namespace.'id', $id);
return true;
}
#####################################################################################As you can see, you need to add escaping quotes in $ db-> Quote ($ token).
')
Once again I was convinced of the low security of Joomla sites and its mods ... unfortunately ..
Source: https://habr.com/ru/post/36884/
All Articles