Joomla Appointinator 1.0.1 SQL Injection

2010-07-28T00:00:00
ID PACKETSTORM:92210
Type packetstorm
Reporter Salvatore Fresta
Modified 2010-07-28T00:00:00

Description

                                        
                                            `Appointinator 1.0.1 Joomla Component Multiple Remote Vulnerabilities  
  
Name Appointinator  
Vendor http://appointinator.chemeia.info  
Versions Affected 1.0.1  
  
Author Salvatore Fresta aka Drosophila  
Website http://www.salvatorefresta.net  
Contact salvatorefresta [at] gmail [dot] com  
Date 2010-07-27  
  
X. INDEX  
  
I. ABOUT THE APPLICATION  
II. DESCRIPTION  
III. ANALYSIS  
IV. SAMPLE CODE  
V. FIX  
  
  
I. ABOUT THE APPLICATION  
________________________  
  
Appointinator is a small and convenient component, that  
allows you to start appointment polls for your  
registered users.  
  
  
II. DESCRIPTION  
_______________  
  
Some parameters are not properly sanitised before being  
used in SQL queries. These bugs can be exploited from  
registered users.  
  
  
III. ANALYSIS  
_____________  
  
Summary:  
  
A) SQL Injection  
B) Blind SQL Injection  
  
  
A) SQL Injection  
________________  
  
The parameter aid passed to app.php when view is set to  
App is not properly sanitised before being used in a SQL  
query. This can be exploited to manipulate SQL queries  
by injecting arbitrary SQL code.  
  
  
B) Blind SQL Injection  
______________________  
  
The parameter aid passed to app.php via POST in the vote  
form is not properly sanitised before being used in a  
SQL query by the store function. This can be exploited  
to manipulate SQL queries by injecting arbitrary SQL  
code.  
  
  
IV. SAMPLE CODE  
_______________  
  
A) SQL Injection  
  
http://site/path/index.php?option=com_appointinator&view=App&aid=-1 UNION SELECT 1,CONCAT(username,0x3A,password),3,4,5,6 FROM jos_users  
  
  
V. FIX  
______  
  
No fix.  
  
`