Joomla RedShop 1.0.23.1 Blind SQL Injection

2010-07-16T00:00:00
ID PACKETSTORM:91864
Type packetstorm
Reporter Salvatore Fresta
Modified 2010-07-16T00:00:00

Description

                                        
                                            `RedShop 1.0.23.1 Joomla Component Blind SQL Injection Vulnerability  
  
Name RedShop  
Vendor http://redweb.dk  
Versions Affected 1.0.23.1  
  
Author Salvatore Fresta aka Drosophila  
Website http://www.salvatorefresta.net  
Contact salvatorefresta [at] gmail [dot] com  
Date 2010-07-13  
  
X. INDEX  
  
I. ABOUT THE APPLICATION  
II. DESCRIPTION  
III. ANALYSIS  
IV. SAMPLE CODE  
V. FIX  
  
  
I. ABOUT THE APPLICATION  
________________________  
  
RedShop is a popular and commercial Joomla component.  
It is a Content Creation Kit style of webshop / webshop  
tool where you got the most access ever given to any user  
to completely style around and change thier webshop,  
without alot more knowledge then HTML and a bit of CSS.  
  
  
II. DESCRIPTION  
_______________  
  
A parameter in the search form is not properly sanitised  
before being used in a SQL query.  
  
  
III. ANALYSIS  
_____________  
  
Summary:  
  
A) Blind SQL Injection  
  
  
A) Blind SQL Injection  
______________________  
  
The parameters viewform and id are not properly sanitised  
The parameter keyword is not properly sanitised before  
being used in a SQL query. This can be exploited to  
manipulate SQL queries by injecting arbitrary SQL code.  
  
Successful exploitation requires that "magic_quotes_gpc"  
is disabled.  
  
  
IV. SAMPLE CODE  
_______________  
  
A) Blind SQL Injection  
  
Copy and past the following lines in the search form:  
  
' AND (SELECT(IF(ASCII(0x41) = 64,false,NULL))) OR '  
' AND (SELECT(IF(ASCII(0x41) = 65,true,NULL))) OR '  
  
  
V. FIX  
______  
  
No fix.  
  
`