Not finding what you're looking for? Don't hesitate to contact us!
Before posting questions in the forums, please be sure to read the FAQs by clicking on the FAQs link in the sidebar product menu. You must be logged in and have a valid subscription to access the SUPPORT FORUMS.
vinny replied the topic: Re: Blind SQL injection Vulnerability
Hi Dave - we can't confirm that this is a valid exploit (normally we hear about it immediately and release a patch - the link you posted is over a year old and we would have heard about it before now!). We've double checked the cat model and verified that it will only accept integers to avoid sql injections; however, we did find a couple of instances where we could be a little more strict - I've attached a patch file.
You can unzip the attached and replace the corresponding files via FTP (for example: site/models/cat.php will replace your front end 'com_projectlog/models/cat.php). Please back up the files you replace and let us know if you come across any issues - if all works as expected we'll add these changes to the zip download just in case! Thanks.