SQL Injection In PayPlans Resolved

PayPlans Security Update for SQL Injection

Jogendra Singh , 14 June, 2016


I want to post an update on one feed that we found yesterday which displays possible SQL Injection in PayPlans.
Few of our customers has reported this feed (SQL Injection hack) which can be done if you are using PayPlans Plan Group functionality.

We feel highly obliged to have such loyal and well-wisher customers. We thank Mr. Damien Barrere & Mr. Ufo Alieno, who reported this issue and helped in addressing it. As a token of our gratitude, we announce subscription of PayPlans for One Year to them.

What Happened ?
As per the feed that we have got from our users, If you are using PayPlans Plan Group feature then group id is visible in sql error that is being displayed. Using this group id hacker can identify the database name and can get table names. Furthermore a hacking attempt can be performed by hackers subsequently.

We immediately fixed the issue. However,We have addressed this issue on immediate basis and found the fix as well. Below is the fix that you can do on your site immediately :-

Download the file (as per your PayPlans Version) and replace it with following location :-
YOUR_SITE_ROOT/components/com_payplans/views/plan/view.html.php

Security & Future
The root cause of the issue was getting the group id from request in unsecure way.
We have fixed this issue in our code base and this fix will be available to all users in next release very soon possibly in next 7 days. We will release this fix for all PayPlans version.
We would also like to provide this fix to all fellow customers whose subscription is expired.

If you have any questions just email me jogendra@readybytes.in

blog comments powered by Disqus