Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#8288] - Error 500 due to unexpected '[' in components/com_content/content.php

?
avatar yiip87
yiip87
5 Nov 2015

I've seen a couple of strange PHP errors in older Joomla versions in the last days. Responsible for this error is always the following line in the file components/com_content/content.php:

 if(stripos(JFactory::getApplication()->input->getVar("list")[select],"elect")) die;

The whole file looks like this:

<?php
/**
* @package Joomla.Site
* @subpackage com_content
*
* @copyright Copyright (C) 2005 - 2014 Open Source Matters, Inc. All rights reserved.
* @license GNU General Public License version 2 or later; see LICENSE.txt
*/

defined('_JEXEC') or die;
if(stripos(JFactory::getApplication()->input->getVar("list")[select],"elect")) die;

require_once JPATH_COMPONENT.'/helpers/route.php';
require_once JPATH_COMPONENT.'/helpers/query.php';

$controller = JControllerLegacy::getInstance('Content');
$controller->execute(JFactory::getApplication()->input->get('task'));
$controller->redirect();

I've done some research and some sources state that this schould be a backport of the security fixes in Joomla 3.4.5 [1], some sources state that the site has been hacked [2].

The strange thing is, that the offending line appeared in the content.php without changing the files mtime. Also this code only executes in PHP Versions above PHP 5.4. The line was inserted into content.php without user interaction and I was not able to track down suspcious requests in the webservers error log.

I've seen this in Joomla 3.3.6 and 3.4.1, but never in 3.4.5, so my question is: Is this an official fix that just breaks compability with PHP 5.3 and 5.4 or have those sites been compromised?

[1] http://forum.joomla.de/index.php/Thread/967-Wei%C3%9Fe-Seite-im-Frontend-Parse-error-syntax-error-unexpected/?postID=6520#post6520
[2] http://forum.joomla.org/viewtopic.php?f=714&p=3341527

avatar yiip87 yiip87 - open - 5 Nov 2015
avatar zero-24
zero-24 - comment - 5 Nov 2015

Which hoster you have? Maybe All-inkl.com?

avatar wilsonge
wilsonge - comment - 5 Nov 2015

This line is 100% not related to the 3.4.5 update (I was in charge of that release) - you can see the change that got made here. dca641f#diff-35390bcd97e9f612d6fc06ea874aa22aR15

Either it means your site has been compromised or you host has made a unofficial fix outside of the CMS. Either way this isn't a "CMS Issue" i'm afraid :/

avatar brianteeman brianteeman - close - 5 Nov 2015
avatar wilsonge wilsonge - change - 5 Nov 2015
Status New Closed
Closed_Date 0000-00-00 00:00:00 2015-11-05 18:28:53
Closed_By wilsonge
avatar wilsonge wilsonge - close - 5 Nov 2015
avatar wilsonge wilsonge - close - 5 Nov 2015
avatar yiip87
yiip87 - comment - 5 Nov 2015

Host is Host Europe. They don't touch customer data, so those site are compromised.
Anyway thanks for taking the time to reply!

avatar SniperSister
SniperSister - comment - 5 Nov 2015

@yiip87 could you please ping me on a private channel? I would like to investigate this a bit further to make so that it's a hack and what attack vector has been used.

Thanks!

avatar brianteeman brianteeman - change - 14 Dec 2015
Labels Added: ?
avatar aminmix
aminmix - comment - 27 Oct 2016

I have the same issue do you have jmb-tree menu in your website?

avatar zero-24
zero-24 - comment - 27 Oct 2016

I have the same issue do you have jmb-tree menu in your website?

Than you are using a old version of Joomla. At least i would asume it is hacked. Please contact somonen for help e.g. on the forum at https://forum.joomla.org.

Please do not post support questions on closed issues. Thanks ?

avatar zero-24 zero-24 - locked - 27 Oct 16

Add a Comment

Login with GitHub to post a comment