Visitors Google Map Lite 1.0.1 mod_visitorsgooglemap SQL Injection

2010-09-09T00:00:00
ID 1337DAY-ID-14044
Type zdt
Reporter Chip D3 Bi0s
Modified 2010-09-09T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            ==================================================================
Visitors Google Map Lite 1.0.1 mod_visitorsgooglemap SQL Injection
==================================================================

- Discovered by : Chip D3 Bi0s
- Email         : chipdebios[at]gmail[dot]com
- Group         : LatinHackTeam
- Date          : 2010-09-08
- Where         : From Remote
 
-------------------------------------------------------------------------------------
Affected software description
 
Application     : Visitors Google Map Lite 1.0.1 (FREE) (module:mod_visitorsgooglemap)
Developer       : Serdar Gökkus
Compatibility   : Joomla 1.5 Native
License         : GPLv2 or later
Date Added      : Sunday August 29, 2010 01:14:14
Download        : http://www.comlantis.com/download/doc_download/2-visitors-google-map-lite-101-free.html
 
I. BACKGROUND
 
This extension tracks visitors of your site in real time and displays their
locations in Google Map. It uses three main technologies:
 
- Map API of Google
- AJAX
- IP geolocation API of IPInfoDB
 
Content of VisitorsGoogeMap Package:
This extension contains one Joomla Compoment and two Joomla Modules.
 
com_visitorsgooglemap: This component is responsible for the creation
                       database table during installation and remove
                       it clearly in case of uninstallation.
 
mod_visitorsgooglemap: This module is responsible for the display of
                       Google Map in desired module position in your
                       template and track the visitors of your Joomla
                       page in the map.
 
mod_visitorsgooglemap_agent: This module is responsible for the updating
                             visitors information in the database.
 
II. DESCRIPTION
 
Some sql injecton vulnerabilities exist in mod_visitorsgooglemap module .
 
 
III. ANALYSIS
 
The bug is in the following files, specifying the lines
 
/mod_visitorsgooglemap/map_data.php
 
 
[16] [if ($_GET['action'] == 'listpoints')
[17]        {
[18]            $lastMarkerID = $_GET['lastMarkerID'];
[19]            ini_set('default_mimetype','text/xml'); // manchmal notwendig
[20]            header ('Content-Type: text/xml'); // reicht nicht immer
[21]            echo '<?xml version="1.0" ?>';
[22]            echo '<xmlresponse>';
[23]        $database =& JFactory::getDBO();
[24]        $query = "SELECT * FROM #__visitorsgooglemap_location where id > $lastMarkerID order by id";
 
 Explanation:As noted in the line [24] $ lastMarkerID
 nowhere is filtered, which result in a query pede unexpected
 
 
IV. EXPLOITATION
 
http://site/path/modules/mod_visitorsgooglemap/map_data.php?action=listpoints&lastMarkerID=0{sql}
 
 
 
 
+++++++++++++++++++++++++++++++++++++++
[!] Produced in South America
+++++++++++++++++++++++++++++++++++++++



#  0day.today [2018-03-06]  #