Lyften Bloggie SQL Injection Fix

Posted in Joomla!
2009-11-30 01:05:49 +0000 UTC

The Joomla component Lyften Bloggie was recently exposed to suffer from an SQL Injection vulnerability. Since I had a current client that was running this software, with no fix in sight, I decided to take matters into my own hands and patch this. And, in the spirit of open source, I thought I'd share the fix with everyone.

The exploit in question uses the URL parameter "author" to inject SQL commands, and as far as I can tell that parameter is an integer value. To plug this hole, I simply changed line 41 of components/com_lyftenbloggie/models/lyftenbloggie.php to use JRequest's getInt() method instead of the more generic getVar().

Original Code:

$this->_author		= JRequest::getVar( 'author' );

Patched Code:

$this->_author		= JRequest::getInt( 'author' );

UPDATE: It seems the folks over at Lyften have finally published an official fix!