Thank you for contacting us.
I can't replicate this on our site: prntscr.com/hqeapc
URL looks strange, how to you achieve this?
Anyway, that's not a bug or even security issue. Joomla! requirements are openly know: downloads.joomla.org/technical-requirements
Joomla! needs MySQL database/server. And it's easy to determine if you're using Joomla! :)
Do NOT post login credentials on forum posts - to pass confidential data you need:
1. Edit your first post.
2. Click switch below main text field: prntscr.com/fk3hdg
3. Provide your site details: backend URL, admin credentials and FTP: prntscr.com/fk3hwz
4. Let us know that you provided credentials by posting in the same thread.
I'm sorry but I do not understand that part:
"Next, type the url in the attachments"
What URL? And what "attachments" do you mean?
But where did you get this URL? Where it is displayed?
It's not a valid URL. It's a mix of html and URL parameters with regular URL.
If you just made it out - then it's random and issue is only result of your "experiment" :)
URL contains search query parameters passed to db. If you pass some random things, mixed code, you may expect error.
Thank you for checking but... this link is not valid.
if it appears somewhere on the site - I need to know where... I mean where I can click something to see that URL.
Not to paste it as URL or search. It need to be somewhere visible.
If it's not, then I'll consider it as a humbug and randomly made by user... and won't bother anymore. Users can type any rubbish in URL :) We can't stop them doing so.
The link not appears in somewhere because is a premedit attack of sql to jomsocial and it seems work fine.
The user can type any rubbish in url and the system must filter it avoiding attacks.
If you don't want to see it it's ok but jomsocial has a problem in this query.
I rather won't call this "attack" as nothing was included into query or leaked.
Notice about SQL error is nothing :) As I said - Joomla! requirements are publicly known and it's easy to determine that you're using Joomla!
So I really do not understand what you're trying to report here...