Date: Wed, 3 May 2017 10:52:20 -0500
From: Brandon Perry <bperry.volatile@...il.com>
To: Vulnerability Lab <research@...nerability-lab.com>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] Joomla com_tag v1.7.6 - (tag) SQL Injection Vulnerability


> On May 3, 2017, at 6:07 AM, Vulnerability Lab <research@...nerability-lab.com> wrote:
> 
> Document Title:
> ===============
> Joomla com_tag v1.7.6 - (tag) SQL Injection Vulnerability
> 
> 
> References (Source):
> ====================
> https://www.vulnerability-lab.com/get_content.php?id=2061
> 
> IEDB: http://iedb.ir/exploits-7454.html
> 
> 
> Release Date:
> =============
> 2017-05-02
> 
> 
> Vulnerability Laboratory ID (VL-ID):
> ====================================
> 2061
> 
> 
> Common Vulnerability Scoring System:
> ====================================
> 6.6
> 
> 
> Vulnerability Class:
> ====================
> SQL Injection
> 
> 
> Product & Service Introduction:
> ===============================
> Tag Meta allows to efficiently manage all site`s meta information. With Tag Meta, as example, it is possible to set the
> tag `title` or the meta tags (e.g. from the most common `description`, `keywords`, `robots`, as well as the recently
> `content rights` and `external reference`) or link `canonical` on any page, just specifying the URL or a part of it.
> This provides a swiss army knife to improve site positioning in SEO optimization. But Tag Meta also supports regular
> expressions in the matching rules and this allows to match a group of URLs with a single rule. In this way it is
> possible to manage metadata from a single control panel.
> 
> (Copy of the Homepage: https://extensions.joomla.org/extension/tag-meta/ )
> 
> 
> Abstract Advisory Information:
> ==============================
> An independent vulnerability laboratory partner team discovered a sql-injection vulnerability in the official Joomla CMS com_tag (meta) component.

How is this the *official* Joomla CMS com_tag when it is provided by a third party developer? Also, the component linked uses the name com_tagmeta in it’s HTTP requests, not com_tag. I am unable to reproduce the issue you are describing. This whole disclosure is confusing.

> 
> 
> Vulnerability Disclosure Timeline:
> ==================================
> 2017-05-02: Public Disclosure (Vulnerability Laboratory)
> 
> 
> Discovery Status:
> =================
> Published
> 
> 
> Affected Product(s):
> ====================
> SelfGet
> Product: Joomla com_tag (Meta) Components - (Community) 1.7.6
> 
> 
> Exploitation Technique:
> =======================
> Remote
> 
> 
> Severity Level:
> ===============
> High
> 
> 
> Technical Details & Description:
> ================================
> A remote sql-injection web vulnerability has been discovered in the official Joomla CMS com_tag (meta) component.
> The issue allows remote attackers to execute own malicious sql commands to compromise the web-application or dbms.
> 
> The sql-injection vulnerability is located in the `tag` parameter of the `com_tag` joomla web module. The request method
> to execute is GET and the attack vector is client-side. Remote attackers are able to inject own malicious sql commands
> via vulnerable `tag` parameter to compromise the web-application or dbms. The web vulnerability is a classic sql-injection
> in the joomla content management system `com_tag (meta)` component.
> 
> The security risk of the vulnerability is estimated as high with a common vulnerability scoring system count of 6.6.
> Exploitation of the sql-injection vulnerability requires no privilege web-application user account or user interaction.
> Successful exploitation of the web vulnerability results in web-application or database management system compromise.
> 
> Request Method(s):
> [+] GET
> 
> Vulnerable Components(s):
> [+] com_tag (joomla)
> 
> Vulnerable File(s):
> [+] index.php
> 
> Vulnerable Parameter(s):
> [+] tag (&tag)
> 
> 
> Proof of Concept (PoC):
> =======================
> The sql-injection web vulnerability can be exploited by remote attackers without privilege web-application user account
> or user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and
> steps below to continue.
> 
> 
> Dork(s):
> inurl:index.php?option=com_tag
> 
> 
> PoC: Exploitation
> http://localhost:8080/[PATH]/index.php?option=com_tag&task=tag&tag=-`[SQL-Injection Vulnerability!]--
> 
> 
> Security Risk:
> ==============
> The security risk of the sql-injection web vulnerability in the joomla component is estimated as high (CVSS 6.6).
> 
> 
> Credits & Authors:
> ==================
> Amir - Iranian Exploit Database (www.iedb.ir) [http://www.vulnerability-lab.com/show.php?user=IEDB%20Team]
> 
> Thanks: C0dex,B3hz4d,Beni_vanda,Mr_time,Bl4ck M4n,black_security,Yasser,Ramin Assadian,Black_Nofuzi,SecureHost,
> 1TED,Mr_Kelever,Mr_keeper,Mahmod,Iedb,Khashayar,B3hz4d4,Shabgard,Cl09er, Be_lucky,Moslem Haghighian,Dr_Iman,8Bit,
> Javid,Esmiley_Amir,Mahdi_feizezade,Amin_Zohrabi,Shellshock3 and all my friends + all members of the Iedb.Ir Team.
> 
> 
> Disclaimer & Information:
> =========================
> The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or
> implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any
> case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its
> suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental
> or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface
> websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories
> or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails,
> phone numbers, conversations or anything else to journalists, investigative authorities or private individuals.
> 
> Domains:    www.vulnerability-lab.com		- www.vulnerability-db.com					- www.evolution-sec.com
> Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php
> Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
> Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab
> 
> Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory.
> Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
> Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark
> of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission.
> 
> 				    Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™
> 
> 
> 
> --
> VULNERABILITY LABORATORY - RESEARCH TEAM
> SERVICE: www.vulnerability-lab.com
> 
> 
> 
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/


Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists