JE Guestbook 1.0 Joomla Component Multiple Remote Vulnerabilities

2010-10-01T00:00:00
ID 1337DAY-ID-14266
Type zdt
Reporter Salvatore Fresta
Modified 2010-10-01T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            =================================================================
JE Guestbook 1.0 Joomla Component Multiple Remote Vulnerabilities
=================================================================

 Name              JE Guestbook
 Vendor            http://www.joomlaextensions.co.in
 Versions Affected 1.0
 
 Author            Salvatore Fresta aka Drosophila
 Website           http://www.salvatorefresta.net
 Contact           salvatorefresta [at] gmail [dot] com
 Date              2010-09-30
 
X. INDEX
 
 I.    ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.    FIX
  
 
I. ABOUT THE APPLICATION
________________________
 
JE Guest  Component  is  an open source Joomla guestbook
component  with  spam protection  and many customization
options.
 
 
II. DESCRIPTION
_______________
 
Some parameters are not properly sanitised.
 
 
III. ANALYSIS
_____________
 
Summary:
 
 A) Local File Inclusion
 B) Multiple Blind SQL Injection
  
 
A) Local File Inclusion
_______________________
 
Input passed to the "view" parameter in  jeguestbook.php
(when option is set to com_jeguestbook)  is not properly
verified before being used to include files. This can be
exploited   to   include   arbitrary  files  from  local
resources    via   directory   traversal   attacks   and
URL-encoded NULL bytes.
 
 
B) Multiple Blind SQL Injection
_______________________________
 
Many parameters are not properly sanitised before being
used in SQL queries.This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code.
 
 
IV. SAMPLE CODE
_______________
 
A) Local File Inclusion
 
http://site/path/index.php?option=com_jeguestbook&view=../../../../../../../../etc/passwd%00
 
 
B) Multiple Blind SQL Injection
 
http://site/path/index.php?option=com_jeguestbook&view=item_detail&d_itemid=-1 OR (SELECT(IF(0x41=0x41, BENCHMARK(999999999,NULL),NULL)))
 
 
V. FIX
______
 
No fix.



#  0day.today [2018-03-14]  #