MySQL injection vulnerability for Joomla 1.5/2.5/3

Question

Yesterday in Joomla VEL has been announced a vulnerability in a component that I would rather not mention here in order not to spread this information, and that I would like to fix.

This vulnerability applies also to Joomla 1.5 version of the component, but the component team only fixed the vulnerability in Joomla 2.5 and 3.x versions. I am going to post here the function that has been modified in Joomla 2.5 and Joomla 3, and I would like to know if I can modify the same function in the same way or in a different way in order to be compatible with Joomla 1.5 version.

In the following example, please consider that I will edit the code in order to remove the name of the component.

So, original function in Joomla 3 was:

function _setExtension($option) {
    static $components = array();

    if (!isset($components[$option])) {
        $filter = ComponentUtility::getSkippedComponents();
        $component = ComponentDatabase::loadResult("SELECT `element` FROM `#__extensions` WHERE `type` = 'component' AND `element` NOT IN ({$filter}) AND `element` = '{$option}'");

This has been fixed in the following way:

function _setExtension($option) {
    static $components = array();

    if (!isset($components[$option])) {
        $filter = ComponentUtility::getSkippedComponents();
        $option = ComponentDatabase::escape($option);
        $component = ComponentDatabase::loadResult("SELECT `element` FROM `#__extensions` WHERE `type` = 'component' AND `element` NOT IN ({$filter}) AND `element` = '{$option}'");

In Joomla 2.5, the original function was:

function _setExtension($option) {
    static $components = array();

    if (!isset($components[$option])) {
        $filter = ComponentUtility::getSkippedComponents();
        $component = ComponentDatabase::loadResult("SELECT `element` FROM `#__extensions` WHERE `type` = 'component' AND `element` NOT IN ({$filter}) AND `element` = '{$option}'");

This has been fixed in the following way:

function _setExtension($option) {
    static $components = array();

    if (!isset($components[$option])) {
        $filter = ComponentUtility::getSkippedComponents();
        $option = ComponentDatabase::getEscaped($option);
        $component = ComponentDatabase::loadResult("SELECT `element` FROM `#__extensions` WHERE `type` = 'component' AND `element` NOT IN ({$filter}) AND `element` = '{$option}'");

In Joomla 1.5, the original function is:

function _setExtension($option) {
    static $components = array();

    if (!isset($components[$option])) {
        $filter = "'com_sef', 'com_sh404sef', 'com_joomfish', 'com_config', 'com_media', 'com_installer', 'com_templates', 'com_plugins', 'com_modules', 'com_cpanel', 'com_cache', 'com_messages', 'com_menus', 'com_massmail', 'com_languages', 'com_users'";
        $component = ComponentDatabase::loadResult('SELECT `option` FROM `#__components` WHERE `parent` = "0" AND `option` NOT IN ('.$filter.') AND `option` = "'.$option.'"');

And this has not been fixed.

So, in Joomla 3, the fixing line was:

            $option = ComponentDatabase::escape($option);

In Joomla 2.5 the fixing line was:

        $option = ComponentDatabase::getEscaped($option);

And in Joomla 1.5? How can I properly escape the option parameter and fix the function?

Answer 1

ComponentDatabase is not a class that belongs to Joomla by default, therefore it belongs to your component.

getEscaped is however a function that belongs to Joomla 1.5 which simple gets an escaped string from the database.

Assuming that ComponentDatabase also belongs to the Joomla 1.5 compatible version of this component, should should be able to do the same as the other fixes:

$option = ComponentDatabase::getEscaped($option);

If ComponentDatabase does not belong to the Joomla 1.5 version of the component, then copy it over from the Joomla 2.5 version (not 3.x) and bare in mind that you might have to make some tweaks to it.