Description:
This bug allows a third party to gain access to another Joomla site's mysql database.
How to repeat:
I am using MySQL 5x with Joomla 1.5x, but the problem is not with my site.
I was casually looking through my mySQL database using phpMyAdmin when I got to this table: jos_core_log_items. This table is a part of the joomla database distribution.
I clicked on browse to see what kind of things were being logged, and I noted this warning: "No index defined! Create an index on ___ columns."
Not knowing whether I should create the index or not, I decided to research the issue first and see what other users had been told to do.
So I entered this query into google search: "Table: jos_core_log_items"
I was presented with a list of what I assumed were similar requests for assistance by other users. But when I clicked on one, I was taken directly to that site's database.
I repeated the process several times to be sure that database access was being achieved routinely and each time I got into the website's database with no problem. And each time it was a joomla mySQL database (i.e., jos_banners, jos_users, etc).
Since every google website result that I clicked on for the "Table: Table: jos_core_log_items" search brought up a joomla mySQL database, I thought you should know.
Suggested fix:
Am reporting this immediately. Haven't had time to explore any possible fixes.