Kunena 6.4.8 Released

The Kunena team has announce the arrival of Kunena 6.4.8 [K 6.4.8] in stable which is now available for download as a native Joomla extension for J! 5.0.x/5.1.x/5.2.x/5.3.x/5.4.x. This version addresses most of the issues that were discovered in K 6.2 / K 6.3 / K 6.4 and issues discovered during the last development stages of K 6.4
Important note: Go to the Kunena Dashboard after an upgrade so that the Kunena database tables are also updated. This is particularly necessary for major version jumps so that the table changes are adapted.

Please Read This First:

This category is only for reporting defects with K 3.0.

Do not use this category:

to ask general questions about how to use K 3.0 or to ask when new versions of Kunena will be released;
to ask about other (older) versions of Kunena; or
if you have tried to install K 3.0 on J! 1.5; or
if you installed K 3.0 on a live, production site and you want your site restored to its previous state; or
if this website ( www.kunena.org ) works but works differently to how you expected.

You must include your K 3.0 configuration report; if you do not include your configuration report, your topic may be closed (locked) or deleted without any further warnings from the moderators.

Topics that have been closed (resolved) will be archived and no further discussion on those topics will be allowed.

Question SQL Injection Vulnerability (false alarm)

clickprecision
Topic Author
Offline
New Member

10 years 9 months ago - 10 years 9 months ago #163024 by clickprecision

SQL Injection Vulnerability (false alarm) was created by clickprecision

I get scanned from McAfee Secure and they picked up on this vulnerability:

This message contains confidential information

Many thanks

Last edit: 10 years 9 months ago by Matias.

Please Log in or Create an account to join the conversation.

810
Offline
Administrator

10 years 9 months ago #163025 by 810

Replied by 810 on topic SQL Injection Vulnerability

could you add the kunena report.

Please Log in or Create an account to join the conversation.

clickprecision
Topic Author
Offline
New Member

10 years 9 months ago #163028 by clickprecision

Replied by clickprecision on topic SQL Injection Vulnerability

This message contains confidential information

Database collation check: The collation of your table fields are correct

Joomla! SEF: Enabled | Joomla! SEF rewrite: Enabled | FTP layer: Disabled |

This message contains confidential information
htaccess: Exists | PHP environment: Max execution time: 180 seconds | Max execution memory: 64M | Max file upload: 20M

Kunena menu details:

Warning: Spoiler!

ID Name Menutype Link Path

133 Forum mainmenu Itemid=124 cp-platform/kunena-2014-05-02

124 Forum forummenu view=home&defaultmenu=126 forum

125 Index forummenu view=category&layout=list forum/index

126 Recent Topics forummenu view=topics&mode=replies forum/recent

127 New Topic forummenu view=topic&layout=create forum/newtopic

128 No Replies forummenu view=topics&mode=noreplies forum/noreplies

129 My Topics forummenu view=topics&layout=user&mode=default forum/mylatest

130 Profile forummenu view=user forum/profile

131 Help forummenu view=misc forum/help

132 Search forummenu view=search forum/search

Joomla default template details : theme3022 | author: TemplateMonster.com | version: 3.0 | creationdate: Unknown

Kunena default template details : Custom | author: TemplateMonster | version: 3.0.6 | creationdate: 2014-02-26

Kunena version detailed: Kunena 3.0.6 | 2014-07-28 [ Tala ]
| Kunena detailed configuration:

Warning: Spoiler!

Kunena config settings:

board_offline 0

enablerss 1

threads_per_page 20

messages_per_page 6

messages_per_page_search 15

showhistory 1

historylimit 6

shownew 1

disemoticons 0

template custom

showannouncement 1

avataroncat 0

catimagepath category_images

showchildcaticon 1

rtewidth 450

rteheight 300

enableforumjump 1

reportmsg 1

username 1

askemail 0

showemail 0

showuserstats 1

showkarma 1

useredit 1

useredittime 0

useredittimegrace 600

editmarkup 1

allowsubscriptions 1

subscriptionschecked 1

allowfavorites 1

maxsubject 50

maxsig 300

regonly 0

pubwrite 0

floodprotection 0

mailmod 0

mailadmin 0

captcha 0

mailfull 1

allowavatarupload 1

allowavatargallery 1

avatarquality 75

avatarsize 2048

imageheight 800

imagewidth 800

imagesize 150

filetypes txt,rtf,pdf,zip,tar.gz,tgz,tar.bz2

filesize 120

showranking 1

rankimages 1

userlist_rows 30

userlist_online 1

userlist_avatar 1

userlist_name 1

userlist_posts 1

userlist_karma 1

userlist_email 0

userlist_joindate 1

userlist_lastvisitdate 1

userlist_userhits 1

latestcategory

showstats 1

showwhoisonline 1

showgenstats 1

showpopuserstats 1

popusercount 5

showpopsubjectstats 1

popsubjectcount 5

usernamechange 0

showspoilertag 1

showvideotag 1

showebaytag 1

trimlongurls 1

trimlongurlsfront 40

trimlongurlsback 20

autoembedyoutube 1

autoembedebay 1

ebaylanguagecode en-us

sessiontimeout 9800

highlightcode 0

rss_type topic

rss_timelimit month

rss_limit 100

rss_included_categories

rss_excluded_categories

rss_specification rss2.0

rss_allow_html 1

rss_author_format name

rss_author_in_title 1

rss_word_count 0

rss_old_titles 1

rss_cache 900

defaultpage recent

default_sort desc

sef 1

showimgforguest 1

showfileforguest 1

pollnboptions 4

pollallowvoteone 1

pollenabled 1

poppollscount 5

showpoppollstats 1

polltimebtvotes 00:15:00

pollnbvotesbyuser 100

pollresultsuserslist 1

maxpersotext 50

ordering_system mesid

post_dateformat ago

post_dateformat_hover datetime

hide_ip 1

imagetypes jpg,jpeg,gif,png

checkmimetypes 1

imagemimetypes image/jpeg,image/jpg,image/gif,image/png

imagequality 50

thumbheight 32

thumbwidth 32

hideuserprofileinfo put_empty

boxghostmessage 0

userdeletetmessage 0

latestcategory_in 1

topicicons 0

debug 0

catsautosubscribed 0

showbannedreason 0

version_check 1

showthankyou 1

showpopthankyoustats 1

popthankscount 5

mod_see_deleted 0

bbcode_img_secure text

listcat_show_moderators 1

lightbox 1

show_list_time 720

show_session_type 0

show_session_starttime 0

userlist_allowed 0

userlist_count_users 1

enable_threaded_layouts 0

category_subscriptions post

topic_subscriptions every

pubprofile 1

thankyou_max 10

email_recipient_count 0

email_recipient_privacy bcc

captcha_post_limit 0

keywords 0

userkeywords 0

image_upload registered

file_upload registered

topic_layout flat

time_to_create_page 0

show_imgfiles_manage_profile 1

hold_newusers_posts 0

hold_guest_posts 0

attachment_limit 8

pickup_category 0

article_display intro

send_emails 1

fallback_english 1

cache 1

cache_time 60

iptracking 1

rss_feedburner_url

autolink 1

access_component 1

statslink_allowed 1

superadmin_userlist 0

| Kunena integration settings:

Warning: Spoiler!

Kunena - AlphaUserPoints Disabled
Kunena - Community Builder Disabled
Kunena - Gravatar Disabled
Kunena - JomSocial Disabled
Kunena - Joomla Enabled: access=1 login=1
Kunena - Kunena Enabled: avatar=1 profile=1
Kunena - UddeIM Disabled

| Joomla! detailed language files installed:

Warning: Spoiler!

Joomla! languages installed:

en-GB English (en-GB)

Kunena config settings:
board_offline	0
enablerss	1
threads_per_page	20
messages_per_page	6
messages_per_page_search	15
showhistory	1
historylimit	6
shownew	1
disemoticons	0
template	custom
showannouncement	1
avataroncat	0
catimagepath	category_images
showchildcaticon	1
rtewidth	450
rteheight	300
enableforumjump	1
reportmsg	1
username	1
askemail	0
showemail	0
showuserstats	1
showkarma	1
useredit	1
useredittime	0
useredittimegrace	600
editmarkup	1
allowsubscriptions	1
subscriptionschecked	1
allowfavorites	1
maxsubject	50
maxsig	300
regonly	0
pubwrite	0
floodprotection	0
mailmod	0
mailadmin	0
captcha	0
mailfull	1
allowavatarupload	1
allowavatargallery	1
avatarquality	75
avatarsize	2048
imageheight	800
imagewidth	800
imagesize	150
filetypes	txt,rtf,pdf,zip,tar.gz,tgz,tar.bz2
filesize	120
showranking	1
rankimages	1
userlist_rows	30
userlist_online	1
userlist_avatar	1
userlist_name	1
userlist_posts	1
userlist_karma	1
userlist_email	0
userlist_joindate	1
userlist_lastvisitdate	1
userlist_userhits	1
latestcategory
showstats	1
showwhoisonline	1
showgenstats	1
showpopuserstats	1
popusercount	5
showpopsubjectstats	1
popsubjectcount	5
usernamechange	0
showspoilertag	1
showvideotag	1
showebaytag	1
trimlongurls	1
trimlongurlsfront	40
trimlongurlsback	20
autoembedyoutube	1
autoembedebay	1
ebaylanguagecode	en-us
sessiontimeout	9800
highlightcode	0
rss_type	topic
rss_timelimit	month
rss_limit	100
rss_included_categories
rss_excluded_categories
rss_specification	rss2.0
rss_allow_html	1
rss_author_format	name
rss_author_in_title	1
rss_word_count	0
rss_old_titles	1
rss_cache	900
defaultpage	recent
default_sort	desc
sef	1
showimgforguest	1
showfileforguest	1
pollnboptions	4
pollallowvoteone	1
pollenabled	1
poppollscount	5
showpoppollstats	1
polltimebtvotes	00:15:00
pollnbvotesbyuser	100
pollresultsuserslist	1
maxpersotext	50
ordering_system	mesid
post_dateformat	ago
post_dateformat_hover	datetime
hide_ip	1
imagetypes	jpg,jpeg,gif,png
checkmimetypes	1
imagemimetypes	image/jpeg,image/jpg,image/gif,image/png
imagequality	50
thumbheight	32
thumbwidth	32
hideuserprofileinfo	put_empty
boxghostmessage	0
userdeletetmessage	0
latestcategory_in	1
topicicons	0
debug	0
catsautosubscribed	0
showbannedreason	0
version_check	1
showthankyou	1
showpopthankyoustats	1
popthankscount	5
mod_see_deleted	0
bbcode_img_secure	text
listcat_show_moderators	1
lightbox	1
show_list_time	720
show_session_type	0
show_session_starttime	0
userlist_allowed	0
userlist_count_users	1
enable_threaded_layouts	0
category_subscriptions	post
topic_subscriptions	every
pubprofile	1
thankyou_max	10
email_recipient_count	0
email_recipient_privacy	bcc
captcha_post_limit	0
keywords	0
userkeywords	0
image_upload	registered
file_upload	registered
topic_layout	flat
time_to_create_page	0
show_imgfiles_manage_profile	1
hold_newusers_posts	0
hold_guest_posts	0
attachment_limit	8
pickup_category	0
article_display	intro
send_emails	1
fallback_english	1
cache	1
cache_time	60
iptracking	1
rss_feedburner_url
autolink	1
access_component	1
statslink_allowed	1
superadmin_userlist	0

Joomla! languages installed:
en-GB	English (en-GB)

Third-party components: None

Third-party SEF components: None

Plugins: None

Modules: None

Please Log in or Create an account to join the conversation.

810
Offline
Administrator

10 years 9 months ago #163029 by 810

Replied by 810 on topic SQL Injection Vulnerability

Look at you kunena template components\com_kunena\template\your_template\html\user\list.php

And look that the inputs are $this->escape. Then you will be fine.

You can use the default kunena template, and do a scan again.

Please Log in or Create an account to join the conversation.

clickprecision
Topic Author
Offline
New Member

10 years 9 months ago - 10 years 9 months ago #163034 by clickprecision

Replied by clickprecision on topic SQL Injection Vulnerability

Thank you for your help, however that did not seem to fix the issue. Example:

This message contains confidential information

Last edit: 10 years 9 months ago by 810.

The following user(s) said Thank You: xillibit

Please Log in or Create an account to join the conversation.

810
Offline
Administrator

10 years 9 months ago #163041 by 810

Replied by 810 on topic SQL Injection Vulnerability

thank you for your report, we will fix this issue

The following user(s) said Thank You: clickprecision

Please Log in or Create an account to join the conversation.

Time to create page: 0.333 seconds