lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 04 Feb 2007 20:36:37 +0330
From: "Omid" <omid@...kers.ir>
To: <bugtraq@...urityfocus.com>
Subject: Sql injection bugs in Joomla and Mambo

Hi,

These bugs were published in full-disclosure about 2 weeks ago (CVE : 
CVE-2007-0373, CVE-2007-0374 and CVE-2007-0375, CVE-2007-0387) .

In Mambo 4.6.1 and Joomla 1.0.11 (and 1.5 Beta) , the 'id' parameter can
cause sql injection when cancelling content editting . Other versions maybe
affected too . This problem has been solved in Joomla 1.0.12 .

Several other sql injections exist in Joomla! 1.5.0 Beta :

The 'searchword' parameter is not checked properly before be used
in the sql query in several files :

In both 'plugins/search/content.php' and 'plugins/search/weblinks.php'
files, the '$where' variable is not checked .

Also, in 'plugins/search/contacts.php', 'plugins/search/categories.php' and
'plugins/search/sections.php' files, the '$text' var is affected. For example :

File plugins/search/sections.php, Line 75 :
:: 	$query = "SELECT a.name AS title,"
:: 	. "\n a.description AS text,"
:: 	. "\n '' AS created,"
:: 	. "\n '2' AS browsernav,"
:: 	. "\n a.id AS secid, m.id AS menuid, m.type AS menutype"
:: 	. "\n FROM #__sections AS a"
:: 	. "\n LEFT JOIN #__menu AS m ON m.componentid = a.id"
** 	. "\n WHERE ( a.name LIKE '%$text%'"
** 	. "\n OR a.title LIKE '%$text%'"
** 	. "\n OR a.description LIKE '%$text%' )"
:: 	. "\n AND a.published = 1"
:: 	. "\n AND a.access <= " .$user->get( 'gid' )
:: 	. "\n AND ( m.type = 'content_section' OR m.type = 'content_blog_section' )"
:: 	. "\n GROUP BY a.id"
:: 	. "\n ORDER BY $order"
:: 	;

The search word is limited to 20 characters, so this bug doesnt seem to be
critical .
PoC : http://hacked/index.php?searchword=%25'/**/SQLINJECTION&option=com_search&Itemid=0


Another sql injection exists in "check()" function . The 'email' parameter is
not checked properly :

File libraries/joomla/database/table/user.php, Line 104 :
:: 		$query = "SELECT id"
:: 			. "\n FROM #__users "
** 			. "\n WHERE email = '$this->email'"
:: 			. "\n AND id != $this->id"
:: 			;

This is reachable by normal users, and can be dangerous .

The SVN version had another sql injection (I have not checked the recent SVN
version after my post to full-disclosure) :
The 'catid' parameter is not checked properly in "_buildQuery()" function :

File components/com_weblinks/models/category.php, Line 209 :
:: 		$query = "SELECT *" .
:: 			"\n FROM #__weblinks" .
** 			"\n WHERE catid = $this->_id".
:: 			"\n AND published = 1" .
:: 			"\n AND archived = 0".
:: 			"\n ORDER BY $filter_order $filter_order_dir, ordering";

PoC : http://hacked/index.php?option=com_weblinks&catid=1%20SQLINJECTION


Also, there are several full path disclosure bugs in Joomla 1.5.0 Beta .
Many files call "jimport()" function at the top of the file . So direct access
to these files will expose full path of the script . For example :
http://test/plugins/user/example.php
http://test/plugins/authentication/gmail.php
http://test/plugins/authentication/example.php
http://test/plugins/authentication/ldap.php
http://test/modules/mod_mainmenu/menu.php
..

The original advisory (in Persian) is located at :
http://www.hackers.ir/advisories/festival.txt


- Omid

Powered by blists - more mailing lists