joomla150beta-sql.txt

`Hi,  
  
These bugs were published in full-disclosure about 2 weeks ago (CVE :   
CVE-2007-0373, CVE-2007-0374 and CVE-2007-0375, CVE-2007-0387) .  
  
In Mambo 4.6.1 and Joomla 1.0.11 (and 1.5 Beta) , the 'id' parameter can  
cause sql injection when cancelling content editting . Other versions maybe  
affected too . This problem has been solved in Joomla 1.0.12 .  
  
Several other sql injections exist in Joomla! 1.5.0 Beta :  
  
The 'searchword' parameter is not checked properly before be used  
in the sql query in several files :  
  
In both 'plugins/search/content.php' and 'plugins/search/weblinks.php'  
files, the '$where' variable is not checked .  
  
Also, in 'plugins/search/contacts.php', 'plugins/search/categories.php' and  
'plugins/search/sections.php' files, the '$text' var is affected. For example :  
  
File plugins/search/sections.php, Line 75 :  
:: $query = "SELECT a.name AS title,"  
:: . "\n a.description AS text,"  
:: . "\n '' AS created,"  
:: . "\n '2' AS browsernav,"  
:: . "\n a.id AS secid, m.id AS menuid, m.type AS menutype"  
:: . "\n FROM #__sections AS a"  
:: . "\n LEFT JOIN #__menu AS m ON m.componentid = a.id"  
** . "\n WHERE ( a.name LIKE '%$text%'"  
** . "\n OR a.title LIKE '%$text%'"  
** . "\n OR a.description LIKE '%$text%' )"  
:: . "\n AND a.published = 1"  
:: . "\n AND a.access <= " .$user->get( 'gid' )  
:: . "\n AND ( m.type = 'content_section' OR m.type = 'content_blog_section' )"  
:: . "\n GROUP BY a.id"  
:: . "\n ORDER BY $order"  
:: ;  
  
The search word is limited to 20 characters, so this bug doesnt seem to be  
critical .  
PoC : http://hacked/index.php?searchword=%25'/**/SQLINJECTION&option=com_search&Itemid=0  
  
  
Another sql injection exists in "check()" function . The 'email' parameter is  
not checked properly :  
  
File libraries/joomla/database/table/user.php, Line 104 :  
:: $query = "SELECT id"  
:: . "\n FROM #__users "  
** . "\n WHERE email = '$this->email'"  
:: . "\n AND id != $this->id"  
:: ;  
  
This is reachable by normal users, and can be dangerous .  
  
The SVN version had another sql injection (I have not checked the recent SVN  
version after my post to full-disclosure) :  
The 'catid' parameter is not checked properly in "_buildQuery()" function :  
  
File components/com_weblinks/models/category.php, Line 209 :  
:: $query = "SELECT *" .  
:: "\n FROM #__weblinks" .  
** "\n WHERE catid = $this->_id".  
:: "\n AND published = 1" .  
:: "\n AND archived = 0".  
:: "\n ORDER BY $filter_order $filter_order_dir, ordering";  
  
PoC : http://hacked/index.php?option=com_weblinks&catid=1%20SQLINJECTION  
  
  
Also, there are several full path disclosure bugs in Joomla 1.5.0 Beta .  
Many files call "jimport()" function at the top of the file . So direct access  
to these files will expose full path of the script . For example :  
http://test/plugins/user/example.php  
http://test/plugins/authentication/gmail.php  
http://test/plugins/authentication/example.php  
http://test/plugins/authentication/ldap.php  
http://test/modules/mod_mainmenu/menu.php  
..  
  
The original advisory (in Persian) is located at :  
http://www.hackers.ir/advisories/festival.txt  
  
  
- Omid  
`