Home / exploitsPDF  

joomla150beta-sql.txt

Posted on 06 February 2007

Hi, These bugs were published in full-disclosure about 2 weeks ago (CVE : CVE-2007-0373, CVE-2007-0374 and CVE-2007-0375, CVE-2007-0387) . In Mambo 4.6.1 and Joomla 1.0.11 (and 1.5 Beta) , the 'id' parameter can cause sql injection when cancelling content editting . Other versions maybe affected too . This problem has been solved in Joomla 1.0.12 . Several other sql injections exist in Joomla! 1.5.0 Beta : The 'searchword' parameter is not checked properly before be used in the sql query in several files : In both 'plugins/search/content.php' and 'plugins/search/weblinks.php' files, the '$where' variable is not checked . Also, in 'plugins/search/contacts.php', 'plugins/search/categories.php' and 'plugins/search/sections.php' files, the '$text' var is affected. For example : File plugins/search/sections.php, Line 75 : :: $query = "SELECT a.name AS title," :: . " a.description AS text," :: . " '' AS created," :: . " '2' AS browsernav," :: . " a.id AS secid, m.id AS menuid, m.type AS menutype" :: . " FROM #__sections AS a" :: . " LEFT JOIN #__menu AS m ON m.componentid = a.id" ** . " WHERE ( a.name LIKE '%$text%'" ** . " OR a.title LIKE '%$text%'" ** . " OR a.description LIKE '%$text%' )" :: . " AND a.published = 1" :: . " AND a.access <= " .$user->get( 'gid' ) :: . " AND ( m.type = 'content_section' OR m.type = 'content_blog_section' )" :: . " GROUP BY a.id" :: . " ORDER BY $order" :: ; The search word is limited to 20 characters, so this bug doesnt seem to be critical . PoC : http://hacked/index.php?searchword=%25'/**/SQLINJECTION&option=com_search&Itemid=0 Another sql injection exists in "check()" function . The 'email' parameter is not checked properly : File libraries/joomla/database/table/user.php, Line 104 : :: $query = "SELECT id" :: . " FROM #__users " ** . " WHERE email = '$this->email'" :: . " AND id != $this->id" :: ; This is reachable by normal users, and can be dangerous . The SVN version had another sql injection (I have not checked the recent SVN version after my post to full-disclosure) : The 'catid' parameter is not checked properly in "_buildQuery()" function : File components/com_weblinks/models/category.php, Line 209 : :: $query = "SELECT *" . :: " FROM #__weblinks" . ** " WHERE catid = $this->_id". :: " AND published = 1" . :: " AND archived = 0". :: " ORDER BY $filter_order $filter_order_dir, ordering"; PoC : http://hacked/index.php?option=com_weblinks&catid=1%20SQLINJECTION Also, there are several full path disclosure bugs in Joomla 1.5.0 Beta . Many files call "jimport()" function at the top of the file . So direct access to these files will expose full path of the script . For example : http://test/plugins/user/example.php http://test/plugins/authentication/gmail.php http://test/plugins/authentication/example.php http://test/plugins/authentication/ldap.php http://test/modules/mod_mainmenu/menu.php .. The original advisory (in Persian) is located at : http://www.hackers.ir/advisories/festival.txt - Omid

 

TOP