×
Blue Eagle 5 v1.5.4 has been Released (13 Sep 2020)

The Kunena team has announce the arrival of Kunena template Blue Eagle 5 v1.5.4 which is now available for download. This version addresses most of the issues that were discovered in development.

Solved kunena 5.0.2 is suspect to Vulnerability SQL Injection

More
3 years 11 months ago - 3 years 11 months ago #1 by davood71
Hi
i think kunena 5.0.2 is suspect to Vulnerability SQL Injection
because
i see in source kunena
please goto : com_kunena-->models-->user.php
for example cod (in line 83) :
// Hide super admins from the list
		if (KunenaFactory::getConfig()->superadmin_userlist)
		{
			$db    = JFactory::getDBO();
			$query = "SELECT user_id FROM `#__user_usergroup_map` WHERE group_id =8";
			$db->setQuery($query);
			$superadmins = (array) $db->loadColumn();
 
			if (!$superadmins)
			{
				$superadmins = array(0);
			}
 
			$this->setState('list.exclude', implode(',', $superadmins));
 
			$where = ' u.id NOT IN (' . $this->getState('list.exclude') . ') AND ';
		}

in this cod, not use from quoteName
please see link : docs.joomla.org/Selecting_data_using_JDatabase
this in page say, for prevent sql injection using from quoteName (for query)
can i from you,why not used from quoteName ?

source from joomla --> com_users-->models-->user.php
// Remove the users from the group if requested.
		if (isset($doDelete))
		{
			$query = $db->getQuery(true);
 
			// Remove users from the group
			$query->delete($db->quoteName('#__user_usergroup_map'))
				->where($db->quoteName('user_id') . ' IN (' . implode(',', $user_ids) . ')');
 
			// Only remove users from selected group
			if ($doDelete == 'group')
			{
				$query->where($db->quoteName('group_id') . ' = ' . (int) $group_id);
			}
 
			$db->setQuery($query);
this in cod, using from quoteName for query

1- Really Are Vulnerability ? or I think mistake
2- Can i change any connect to DB, and insert in cod with quoteName ?

please see link : api.joomla.org/cms-3/classes/JDatabaseQuery.html
this in page say about quoteName :

Wrap an SQL statement identifier name such as column, table or database names in quotes to prevent injection risks and reserved word conflicts.

Thank you for read topic
please answer me
i will wait for answer you :)
Last edit: 3 years 11 months ago by davood71.

Please Log in or Create an account to join the conversation.

More
3 years 11 months ago #2 by davood71
please answer me
I am worried, because i think this cod is not safe and is Vulnerability
kunena is very good component i want to use kunena beside jomsocial
please answer me
Thank you

Please Log in or Create an account to join the conversation.

More
3 years 11 months ago #3 by 810
the code is safe, you don't have to be worry about it. But we can include it.
The following user(s) said Thank You: davood71

Please Log in or Create an account to join the conversation.

More
3 years 11 months ago #4 by davood71
Thank you for answer

But we can include it.

in the future , (for next version kunena), imporved cod SQL kunena?
sorry , I do not understand what you mean (But we can include it)

Please Log in or Create an account to join the conversation.

More
3 years 11 months ago #5 by 810
I have added the code to the next version
The following user(s) said Thank You: davood71

Please Log in or Create an account to join the conversation.

More
3 years 11 months ago #6 by davood71
excuse me for open topic again
thank you very much
is It possible , check all cod (query SQL) and added in next version for all query in source ?
because i see all queri in kunena (fontend) , not include quoteName
is It possible ?
Thank you for answer

Please Log in or Create an account to join the conversation.

More
3 years 11 months ago #7 by 810
I will add it on the K5.1 todo list.
The following user(s) said Thank You: davood71

Please Log in or Create an account to join the conversation.

More
3 years 11 months ago #8 by xillibit

davood71 wrote: excuse me for open topic again
thank you very much
is It possible , check all cod (query SQL) and added in next version for all query in source ?
because i see all queri in kunena (fontend) , not include quoteName
is It possible ?
Thank you for answer

Hello,

There are vunaribilities when the entries from form aren't filtered correctly, so by using JDatabaseQuery it just make the queries database agnostic.

I don't provide support by PM, because this can be useful for someone else.
The following user(s) said Thank You: davood71

Please Log in or Create an account to join the conversation.

More
3 years 11 months ago #9 by davood71
thank you very much
your team is Great
i will waiting for kunena 5.1 for imroved queries
Thank you
Good Luck

Please Log in or Create an account to join the conversation.

  • Not Allowed: to create new topic.
  • Not Allowed: to reply.
  • Not Allowed: to edit your message.
Time to create page: 0.305 seconds