The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Sql injection in Mambo & Joomla


<< Previous INDEX Search src / Print Next >> 
From: "Omid" <omid@hackers.ir.>
To: <bugtraq@securityfocus.com.>
Subject: Sql injection in Mambo & Joomla
Date: Sat, 26 Aug 2006 01:48:20 +0430
User-Agent: Hackers.ir/1.0
MIME-Version: 1.0
Content-Type: text/plain;charset=utf-8
Content-Transfer-Encoding: 8bit
Importance: Normal
X-Priority: 3 (Normal)
X-Mailer: Hackers.ir/1.0
X-Virus-Scanned: antivirus-gw at tyumen.ru

Hi,
There are several sql injections in Mambo 4.6 RC2 & Joomla 1.0.10 (and maybe
other versions) :
[The codes are from Mambo 4.6 RC2 & some may be different in Joomla]

*) When a user edits a content, the "id" parameter is not checked properly
in /components/com_content/content.php, which can cause 2 sql injections .

*) The "limit" parameter in the administration section is not checked. This
affects many pages of administration section :

File /administrator/modules/mod_logged.php, Line 45 :
:: $query = "SELECT *"
:: . "\n FROM #__session"
:: . "\n WHERE userid != 0"
:: . $_and
:: . "\n ORDER BY usertype, username"
>> . "\n LIMIT $pageNav->limitstart, $pageNav->limit"
:: ;

Also :
File /administrator/components/com_content/admin.content.php, Line 212 :
:: 	. "\n LIMIT $pageNav->limitstart,$pageNav->limit"

And many others .

*) In the administration section, while editing/creating a user, the "gid"
parameter is not checked properly :

File /administrator/components/com_users/admin.users.php, Line 260 :
:: 	$query = "SELECT name"
:: 	. "\n FROM #__core_acl_aro_groups"
>> 	. "\n WHERE group_id = $row->gid"

And the second injection :
File /includes/gacl_api.class.php, Line 675 :
:: $this->db->setQuery( '
:: 	SELECT		g.group_id,o.'. $group_type .'_id,gm.group_id AS member
:: 	FROM		'. $object_table .' o
>> 	LEFT JOIN	'. $group_table .' g ON g.group_id='. $group_id .'
:: 	LEFT JOIN	'. $table .' gm ON (gm.group_id=g.group_id AND gm.'. $group_type .'_id=o.'. $group_type .'_id)
:: 	WHERE		(o.section_value=\''. $this->db->getEscaped($object_section_value) .'\' AND o.value=\''. $this->db->getEscaped($object_value) .'\')'
:: );

And the third :
File /includes/gacl_api.class.php, Line 704 :
:: $this->db->setQuery( 'INSERT INTO '. $table .' (group_id,'. $group_type .'_id) VALUES ('. $group_id .','. $object_id .')' );


The original and complete advisory (in Persian), is located at :
http://www.hackers.ir/advisories/mambo-joomla.html


- Omid

<< Previous INDEX Search src / Print Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей 		Created 1996-2025 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру