Please Note: Since the release of nBill 1.2.1, this patch is no longer required. All users are encouraged to upgrade to nBill 1.2.1.It has come to our attention that a security vulnerability exists in nBill version 1.2.0 SP1. A patch file is attached to this post - all users are urged to apply it immediately. Just replace your /components/com_netinvoice/netinvoice.php file with the attached (also available
here if you cannot see the attachment below - unzip first!).
A number of people have reported attempted SQL injection attacks, which in virtually every case will have failed, but after some investigation it has been found that a vulnerability does exist if the hacker has knowledge of or can guess the contents of an encrypted file. The sample code provided in a recent secunia advisory was ineffective and would not result in a successful attack - as far as we are aware, nobody has yet been compromised. Even so, it is advisable to ensure that you change your Joomla administrator password after applying this patch.
If you are running an earlier version of nBill, it is recommended that you upgrade to 1.2.0 SP1 and apply the patch.
[attachment deleted by admin]
