Print this page

False security report on Tag Meta Community 1.7.6

On May 4, 2017 we get a message from Joomla Vulnerable Extensions list (VEL) reporting the following security issue about Tag Meta Community 1.7.6:

http://seclists.org/fulldisclosure/2017/May/4

This report has the following references:

https://www.vulnerability-lab.com/get_content.php?id=2061

http://iedb.ir/exploits-7454.html

According to these reports, Tag Meta is affected by a SQL Injection bug, and also a Proof Of Concept (PoC) is provided:

PoC: Exploitation
http://localhost:8080/[PATH]/index.php?option=com_tag&task=tag&tag=-`[SQL-Injection Vulnerability!]--

This vulnerabilty is, indeed, related to another extension named Joomla Tag and already reported here in the far 2012:

https://www.exploit-db.com/exploits/22098/

It seems that someone just "revived" the issue, but associated it with Tag Meta (com_tagmeta), probably because in the meanwhile Joomla Tag (com_tag) doesn't exist anymore.

Moreover, Tag Meta doesn't have a frontend view, so it could NOT be hacked as described in the PoC. And the VEL Team has already verified the information provided and Tag Meta is resulted CLEAN & SAFE.