> On May 3, 2017, at 6:07 AM, Vulnerability Lab > <research@xxxxxxxxxxxxxxxxxxxxx> wrote: > > Document Title: > =============== > Joomla com_tag v1.7.6 - (tag) SQL Injection Vulnerability > > > References (Source): > ==================== > https://www.vulnerability-lab.com/get_content.php?id=2061 > > IEDB: http://iedb.ir/exploits-7454.html > > > Release Date: > ============= > 2017-05-02 > > > Vulnerability Laboratory ID (VL-ID): > ==================================== > 2061 > > > Common Vulnerability Scoring System: > ==================================== > 6.6 > > > Vulnerability Class: > ==================== > SQL Injection > > > Product & Service Introduction: > =============================== > Tag Meta allows to efficiently manage all site`s meta information. With Tag > Meta, as example, it is possible to set the > tag `title` or the meta tags (e.g. from the most common `description`, > `keywords`, `robots`, as well as the recently > `content rights` and `external reference`) or link `canonical` on any page, > just specifying the URL or a part of it. > This provides a swiss army knife to improve site positioning in SEO > optimization. But Tag Meta also supports regular > expressions in the matching rules and this allows to match a group of URLs > with a single rule. In this way it is > possible to manage metadata from a single control panel. > > (Copy of the Homepage: https://extensions.joomla.org/extension/tag-meta/ ) > > > Abstract Advisory Information: > ============================== > An independent vulnerability laboratory partner team discovered a > sql-injection vulnerability in the official Joomla CMS com_tag (meta) > component. How is this the *official* Joomla CMS com_tag when it is provided by a third party developer? Also, the component linked uses the name com_tagmeta in it’s HTTP requests, not com_tag. I am unable to reproduce the issue you are describing. This whole disclosure is confusing. > > > Vulnerability Disclosure Timeline: > ================================== > 2017-05-02: Public Disclosure (Vulnerability Laboratory) > > > Discovery Status: > ================= > Published > > > Affected Product(s): > ==================== > SelfGet > Product: Joomla com_tag (Meta) Components - (Community) 1.7.6 > > > Exploitation Technique: > ======================= > Remote > > > Severity Level: > =============== > High > > > Technical Details & Description: > ================================ > A remote sql-injection web vulnerability has been discovered in the official > Joomla CMS com_tag (meta) component. > The issue allows remote attackers to execute own malicious sql commands to > compromise the web-application or dbms. > > The sql-injection vulnerability is located in the `tag` parameter of the > `com_tag` joomla web module. The request method > to execute is GET and the attack vector is client-side. Remote attackers are > able to inject own malicious sql commands > via vulnerable `tag` parameter to compromise the web-application or dbms. The > web vulnerability is a classic sql-injection > in the joomla content management system `com_tag (meta)` component. > > The security risk of the vulnerability is estimated as high with a common > vulnerability scoring system count of 6.6. > Exploitation of the sql-injection vulnerability requires no privilege > web-application user account or user interaction. > Successful exploitation of the web vulnerability results in web-application > or database management system compromise. > > Request Method(s): > [+] GET > > Vulnerable Components(s): > [+] com_tag (joomla) > > Vulnerable File(s): > [+] index.php > > Vulnerable Parameter(s): > [+] tag (&tag) > > > Proof of Concept (PoC): > ======================= > The sql-injection web vulnerability can be exploited by remote attackers > without privilege web-application user account > or user interaction. For security demonstration or to reproduce the > vulnerability follow the provided information and > steps below to continue. > > > Dork(s): > inurl:index.php?option=com_tag > > > PoC: Exploitation > http://localhost:8080/[PATH]/index.php?option=com_tag&task=tag&tag=-`[SQL-Injection > Vulnerability!]-- > > > Security Risk: > ============== > The security risk of the sql-injection web vulnerability in the joomla > component is estimated as high (CVSS 6.6). > > > Credits & Authors: > ================== > Amir - Iranian Exploit Database (www.iedb.ir) > [http://www.vulnerability-lab.com/show.php?user=IEDB%20Team] > > Thanks: C0dex,B3hz4d,Beni_vanda,Mr_time,Bl4ck M4n,black_security,Yasser,Ramin > Assadian,Black_Nofuzi,SecureHost, > 1TED,Mr_Kelever,Mr_keeper,Mahmod,Iedb,Khashayar,B3hz4d4,Shabgard,Cl09er, > Be_lucky,Moslem Haghighian,Dr_Iman,8Bit, > Javid,Esmiley_Amir,Mahdi_feizezade,Amin_Zohrabi,Shellshock3 and all my > friends + all members of the Iedb.Ir Team. > > > Disclaimer & Information: > ========================= > The information provided in this advisory is provided as it is without any > warranty. Vulnerability Lab disclaims all warranties, either expressed or > implied, including the warranties of merchantability and capability for a > particular purpose. Vulnerability-Lab or its suppliers are not liable in any > case of damage, including direct, indirect, incidental, consequential loss of > business profits or special damages, even if Vulnerability Labs or its > suppliers have been advised of the possibility of such damages. Some states > do not allow the exclusion or limitation of liability mainly for incidental > or consequential damages so the foregoing limitation may not apply. We do not > approve or encourage anybody to break any licenses, policies, deface > websites, hack into databases or trade with stolen data. We have no need for > criminal activities or membership requests. We do not publish advisories > or vulnerabilities of religious-, militant- and racist- > hacker/analyst/researcher groups or individuals. We do not publish trade > researcher mails, > phone numbers, conversations or anything else to journalists, investigative > authorities or private individuals. > > Domains: www.vulnerability-lab.com - www.vulnerability-db.com > - www.evolution-sec.com > Programs: vulnerability-lab.com/submit.php - > vulnerability-lab.com/list-of-bug-bounty-programs.php - > vulnerability-lab.com/register.php > Feeds: vulnerability-lab.com/rss/rss.php - > vulnerability-lab.com/rss/rss_upcoming.php - > vulnerability-lab.com/rss/rss_news.php > Social: twitter.com/vuln_lab - > facebook.com/VulnerabilityLab - > youtube.com/user/vulnerability0lab > > Any modified copy or reproduction, including partially usages, of this file, > resources or information requires authorization from Vulnerability Laboratory. > Permission to electronically redistribute this alert in its unmodified form > is granted. All other rights, including the use of other media, are reserved > by > Vulnerability Lab Research Team or its suppliers. All pictures, texts, > advisories, source code, videos and other information on this website is > trademark > of vulnerability-lab team & the specific authors or managers. To record, > list, modify, use or edit our material contact (admin@) to get an ask > permission. > > Copyright © 2017 | Vulnerability Laboratory > - [Evolution Security GmbH]™ > > > > -- > VULNERABILITY LABORATORY - RESEARCH TEAM > SERVICE: www.vulnerability-lab.com > > > > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/
Attachment:
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/