lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 26 Aug 2006 01:48:20 +0430
From: "Omid" <omid@...kers.ir>
To: <bugtraq@...urityfocus.com>
Subject: Sql injection in Mambo & Joomla

Hi,
There are several sql injections in Mambo 4.6 RC2 & Joomla 1.0.10 (and maybe
other versions) :
[The codes are from Mambo 4.6 RC2 & some may be different in Joomla]

*) When a user edits a content, the "id" parameter is not checked properly
in /components/com_content/content.php, which can cause 2 sql injections .

*) The "limit" parameter in the administration section is not checked. This
affects many pages of administration section :

File /administrator/modules/mod_logged.php, Line 45 :
:: $query = "SELECT *"
:: . "\n FROM #__session"
:: . "\n WHERE userid != 0"
:: . $_and
:: . "\n ORDER BY usertype, username"
>> . "\n LIMIT $pageNav->limitstart, $pageNav->limit"
:: ;

Also :
File /administrator/components/com_content/admin.content.php, Line 212 :
:: 	. "\n LIMIT $pageNav->limitstart,$pageNav->limit"

And many others .

*) In the administration section, while editing/creating a user, the "gid"
parameter is not checked properly :

File /administrator/components/com_users/admin.users.php, Line 260 :
:: 	$query = "SELECT name"
:: 	. "\n FROM #__core_acl_aro_groups"
>> 	. "\n WHERE group_id = $row->gid"

And the second injection :
File /includes/gacl_api.class.php, Line 675 :
:: $this->db->setQuery( '
:: 	SELECT		g.group_id,o.'. $group_type .'_id,gm.group_id AS member
:: 	FROM		'. $object_table .' o
>> 	LEFT JOIN	'. $group_table .' g ON g.group_id='. $group_id .'
:: 	LEFT JOIN	'. $table .' gm ON (gm.group_id=g.group_id AND gm.'. $group_type .'_id=o.'. $group_type .'_id)
:: 	WHERE		(o.section_value=\''. $this->db->getEscaped($object_section_value) .'\' AND o.value=\''. $this->db->getEscaped($object_value) .'\')'
:: );

And the third :
File /includes/gacl_api.class.php, Line 704 :
:: $this->db->setQuery( 'INSERT INTO '. $table .' (group_id,'. $group_type .'_id) VALUES ('. $group_id .','. $object_id .')' );


The original and complete advisory (in Persian), is located at :
http://www.hackers.ir/advisories/mambo-joomla.html


- Omid

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ