I am finding a Blind SQL Injection issue with K2. This seems serious to me and my customer who ran the security scan will hold up production and wants me to make this a formal report.
I have a simple use case, consider the URL
/component/k2/itemlist/filter?moduleId=699&Itemid=905
This is a fairly typical URL to search for a list
Now add this code in the middle %20%2B%20(SELECT%200%20FROM%20(SELECT%20SLEEP(28))qsqli_1111)%20&
This forms the URL
/component/k2/itemlist/filter?moduleId=699 %2B (SELECT 0 FROM (SELECT SLEEP(29))qsqli_1111) &Itemid=905
This will also "work" but has a significant delay whilst it sleeps, lower the number in the sleep statement and it sleeps less. Seems to me a clear opening for an injection error.
I do not believe this is a result of the K2 Search and Filter module used to create the initial URL because even if those modules are unpublished the basic url's still work, that module simply looks them up and builds them from user selections. So to me this is a k2 issue and possible a joomla core issue if you guys use the same parts. In any event can someone look into this???

Of course.

You need to apply this patch. github.com/joomlaworks/k2/commit/9b4c27b60034bc80def73a0c28cd4a15bf81cd38

Okay, but in the last stable version 2.6.8 .. there is a problem with publishing time .. always shows 00:00 .. is there any way fix this?

Thanks )

Does it work with 2.7.0 ?
You can download older versions from here: getk2.org/downloads/ but sadly not the DEV ones.

I've try it .. but i prefer 2.6.9. Can I download it again, because I save 2.7 over the 2.6.9 on my computer.

Thanks.

Same place where you donwloaded the 2.6.9
getk2.org/assets/get/

From where can I download 2.7 dev?

Thanks.

Can you try with the latest DEV version (2.7.0) ?
Just in case (a real longshot) take a backup before updating.

1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')}' at line 1 SQL=DELETE FROM #_k2_tags_xref WHERE itemID={intval(

Hello,

does anyone know how to fix this? It shows when update to Joomla 3.3.1 when try to add new item. I'm using K2 v2.6.9 (dev build).

Thanks.

Hello

I try to install K2 component for many times but always get

Fatal error: Class 'K2HelperHTML' not found in public_html/administrator/components/com_k2/k2.php on line 77.

Versions of K2 that I try to install are 2.6.8 and 2.6.7 but all of them get that error. Do you know how should I do?

And these are my website information

1. Hosting : Hostgator
2. Joomla 3.3.1
3. Rocket Theme : Corvus
4. OS Linux g
5. PHP 5.4.29
6. MySQLi 5.5.33-31.1

Other components which can interact with K2:

1. roksprocket
2. ganty framework
3. JCE editor

I have the same issue, fresh install of Joomla 3.3 and I try to install K2 2.6.8 and get this error...
Table 'joomla_1gki3cllhd.y5zp7_k2_categories' doesn't exist SQL=SHOW FULL COLUMNS FROM `y5zp7_k2_categories`

I get it the message shortly after hitting upload & install in the extension manager. I have not messed around with the database at all. I agree that the table isn't there, but why should it be I am just trying to install K2 now so why would I already have K2 related tables? Any help would be greatly appreciated.

Hello,

I have K2 2.6.8, Joomla 3.3.1

When I edit "Category Item Layout" and click save, I receive the error below. It just happen today, never had this error before since working with K2 for almost 2 years. Please advise.

Thank you,

M


An error has occurred.

1213 Deadlock found when trying to get lock; try restarting transaction SQL=UPDATE `xxxx_finder_terms` AS t INNER JOIN `xxxx_finder_links_termse` AS m ON m.term_id = t.term_id SET t.links = t.links - 1 WHERE `link_id` = 6441 AND m.link_id = '6441'

Hello everyone,

I tried installing K2_v2.6.8.zip on Joomla! 3.3.0 but it kept failing with a 1146 error,
stating that the *_k2_* tables did not exist.

Background:

- HTTP server: nginx/1.2.1
- Scripting: PHP 5.4.4-14+deb7u9
- DB: mysql Ver 15.1 Distrib 10.0.11-MariaDB

Given that structure is quite tested and running (we're hosting a hundred other websites)
and the privileges on the DB are ok, I made it work by

- unzipping the source (K2_v2.6.8.zip)
- editing the file "administrator/components/com_k2/install.mysql.sql"
- creating tables by hand (user is the same of "configuration.php")
- commenting the whole file
- zipping back everything
- upload and install

Now it works.
I think the problem was something related to the table names
(e.g.: CREATE TABLE IF NOT EXISTS `#__k2_attachments`)
where the "#_" sign gets replaced.

To cut it short, I don't know which was the exact matter.

Hope someone finds it useful,

Hi. The information you provided is inadequate. Clarify what's going on. You say you cannot access items or categories. Are you getting a message from Joomla! A meesage from the browser? A blank screen? An empty list ? Also try to enable Joomla! debugger to see any SQL errors.

I am getting the same error as above. I have tried installing K2 a couple of times...Still getting the error msg

jos1.jos_k2_items' doesn't exist SQL=SHOW FULL COLUMNS FROM `jos_k2_items`


this is on joomla 3.3

Buongiorno,
ho acquistato un template con all'interno k2 che vorrei disinstallare...

Sono andato su gestione estensioni - gestisci e ho cercato con il filtro k2

dopo aver disinstallato tutto nel front end ho questo errore

Che devo fare??

Grazie a chi mi vuol dare una mano :D

here is the problem, after many complete uninstall and reinstalls of joomla the result is always that a table does not install.



An error has occurred.

1146 Table 'server27_jmln1.jom_k2_categories' doesn't exist SQL=SHOW FULL COLUMNS FROM `jom_k2_categories`



does anyone have an answer please? thanks.

can't add new k2 article. Arror:
1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')}' at line 1 SQL=SELECT `catid` FROM jos_k2_additional_categories WHERE `itemID` = {intval()}


Joomla 3.3.0
Apache/1.3.42 (Unix) PHP/5.3.13
PHP 5.3.13
MySQL 5.1.73-log

Hi I am getting the same message as well
Warning: preg_replace() [function.preg-replace]: Unknown modifier '0' in /home/XXXXX/public_html/XXXXXXX/plugins/content/jw_allvideos/jw_allvideos.php on line 390

Allvideos 4.5.0
Joomla 3.3.0
PHP 5.3.28
Mysql 5.5.36-34.2

When I click the link to add item on the k2 user module I get this error:
SQL=SELECT `catid` FROM jos_k2_additional_categories WHERE `itemID` = {intval()}
I think it is related to the plugin: Additional Categories for K2 because when i disable it add item works.
This completely breaks my site because it based on user generated content.
Does any one know how to fix this or know of any free alternative plugins.
My site is bypassgames.com/
When I click on my page i get a 404 error but I think this is related to my sef settings.