Sure -
The problem was in how the task was collected from the user. The way the main controller was constructed based on models provided to developers in Joomla Developer sites.
This is the old code (ie: 6.0.11a):
// Require specific controller if requested
if($controller = JRequest::getVar('controller')) {
require_once (JPATH_COMPONENT.DS.'controllers'.DS.$controller.'.php');
}
// Create the controller
$classname = 'biblestudyController'.$controller;
$controller = new $classname( );
// Perform the Request task
$controller->execute( JRequest::getVar('task'));
// Redirect if set by the controller
$controller->redirect();
The getVar opened up to hackers who could use means to access information other than simply the controller's task.
The new code changes things in two ways:
// Require specific controller if requested
if ($controller = JRequest::getWord('controller')) {
$approvedControllers = array(
'studieslist',
'studydetails',
'serieslist',
'seriesdetail',
'teacherlist',
'teacheredit',
'teacherdisplay',
'commentsedit',
'commentslist',
'landingpage',
'mediafilesedit',
'podcastedit',
'studiesedit',
'landingpage'
);
if ( ! in_array($controller, $approvedControllers)) {
$controller = 'studieslist';
}
You can see that we first changed getVar to getWord, which in itself closed the security hole. Secondly we provide a list of known controllers for the component. If the input is anything other than one of these words then it will default to 'studieslist'.
Secondly, we also changed how the task is obtained:
$controller->execute( JRequest::getWord('task'));
Also removing the getVar and changing it to getWord.
Hope this helps. It's likely there are a lot of components out there with this in them as it was how we were taught close to initial release of Joomla 1.5.
By the way, the patch (available in the downloads section) should work for any version of com_biblestudy.
Tom
