Kunena 6.2.5 & module Kunena Latest 6.0.7 released

The Kunena team has announce the arrival of Kunena 6.2.5 [K 6.2.5] which is now available for download as a native Joomla extension for J! 4.3.x/4.4.x/5.0.x. This version addresses most of the issues that were discovered in K 6.1 / K 6.2 and issues discovered during the last development stages of K 6.2

Please Read This First:


This category is only for reporting defects with K 3.0.

Do not use this category:
  • to ask general questions about how to use K 3.0 or to ask when new versions of Kunena will be released;
  • to ask about other (older) versions of Kunena; or
  • if you have tried to install K 3.0 on J! 1.5; or
  • if you installed K 3.0 on a live, production site and you want your site restored to its previous state; or
  • if this website ( www.kunena.org ) works but works differently to how you expected.

You must include your K 3.0 configuration report; if you do not include your configuration report, your topic may be closed (locked) or deleted without any further warnings from the moderators.

Topics that have been closed (resolved) will be archived and no further discussion on those topics will be allowed.

Question SQL Injection Vulnerability (false alarm)

More
9 years 2 hours ago - 8 years 11 months ago #1 by clickprecision
I get scanned from McAfee Secure and they picked up on this vulnerability:
This message contains confidential information


Many thanks
Last edit: 8 years 11 months ago by Matias.

Please Log in or Create an account to join the conversation.

More
8 years 11 months ago #2 by 810
Replied by 810 on topic SQL Injection Vulnerability
could you add the kunena report.

Please Log in or Create an account to join the conversation.

More
8 years 11 months ago #3 by clickprecision
This message contains confidential information

Database collation check: The collation of your table fields are correct

Joomla! SEF: Enabled | Joomla! SEF rewrite: Enabled | FTP layer: Disabled |

This message contains confidential information
htaccess: Exists | PHP environment: Max execution time: 180 seconds | Max execution memory: 64M | Max file upload: 20M

Kunena menu details:

Warning: Spoiler!

Joomla default template details : theme3022 | author: TemplateMonster.com | version: 3.0 | creationdate: Unknown

Kunena default template details : Custom | author: TemplateMonster | version: 3.0.6 | creationdate: 2014-02-26

Kunena version detailed: Kunena 3.0.6 | 2014-07-28 [ Tala ]
| Kunena detailed configuration:

Warning: Spoiler!
| Kunena integration settings:
Warning: Spoiler!
| Joomla! detailed language files installed:
Warning: Spoiler!

Third-party components: None

Third-party SEF components: None

Plugins: None

Modules: None

Please Log in or Create an account to join the conversation.

More
8 years 11 months ago #4 by 810
Replied by 810 on topic SQL Injection Vulnerability
Look at you kunena template components\com_kunena\template\your_template\html\user\list.php

And look that the inputs are $this->escape. Then you will be fine.

You can use the default kunena template, and do a scan again.

Please Log in or Create an account to join the conversation.

More
8 years 11 months ago - 8 years 11 months ago #5 by clickprecision
Thank you for your help, however that did not seem to fix the issue. Example:

This message contains confidential information
Last edit: 8 years 11 months ago by 810.
The following user(s) said Thank You: xillibit

Please Log in or Create an account to join the conversation.

More
8 years 11 months ago #6 by 810
Replied by 810 on topic SQL Injection Vulnerability
thank you for your report, we will fix this issue
The following user(s) said Thank You: clickprecision

Please Log in or Create an account to join the conversation.

More
8 years 11 months ago #7 by 810
Replied by 810 on topic SQL Injection Vulnerability
fyi, this is no sql injection, but the filter get a unknown input and breaks. we will have the fix included in the next version.

Please Log in or Create an account to join the conversation.

More
8 years 11 months ago #8 by clickprecision
Thank you for your help. I know this is not usual visitor behavior and since there is no system compromise, the issue is small. Good to keep McAfee alarms down though.

Please Log in or Create an account to join the conversation.

More
8 years 11 months ago #9 by Matias
I personally reviewed the code and there is no SQL injection vulnerability, but there is fatal error because of the illegal input caused a value to become NULL instead of array, which was expected by a function.

There is an easy fix for this; just return on bad input instead of continuing..
The following user(s) said Thank You: ChaosHead

Please Log in or Create an account to join the conversation.

Time to create page: 0.391 seconds