68 lines
No EOL
1.6 KiB
Text
68 lines
No EOL
1.6 KiB
Text
###################################################################
|
|
Techfolio 1.0 Component Joomla SQL Injection
|
|
###################################################################
|
|
|
|
Release Date Bug. 27-Oct-2011
|
|
Date Added. 30-Sep-2011
|
|
Vendor Notification Date. Never
|
|
Product. Techfolio
|
|
Platform. Joomla
|
|
Affected versions. 1.0
|
|
Type. Non-Commercial
|
|
Attack Vector. Sql Injection
|
|
Solution Status. unpublished
|
|
CVE reference. Not yet assigned
|
|
Download. techdeluge.com/joomla-component/com_techfolio.zip
|
|
|
|
|
|
I. BACKGROUND
|
|
|
|
This component is made for portfolio purpose.
|
|
Its easy to integrate and easy to made custom design.
|
|
category based structure.
|
|
this is base component we are in process with upgrade version also.
|
|
with new feature and new functionality which is easy to integrate.
|
|
we will launch it within 10 days.
|
|
|
|
II. DESCRIPTION
|
|
|
|
discovered a vulnerability in Techfolio, joomla component,
|
|
vulnerability is SQL injection
|
|
|
|
The parameters affected are:
|
|
catid
|
|
|
|
|
|
III. ANALYSIS
|
|
|
|
|
|
file:
|
|
/com_techfolio/frontend/models/techfoliodetail.php
|
|
|
|
[29] $catid = $_GET['catid'];
|
|
[30] if($catid!=''){
|
|
[31] $data = "SELECT * FROM #__techfolio WHERE catid = ".$catid;
|
|
[32] }else{
|
|
[33] $data = "SELECT * FROM #__techfolio";
|
|
[34] }
|
|
[35] $db->setQuery( $data );
|
|
[36] $data = $db->loadObjectList();
|
|
[37]
|
|
[38] return $data;
|
|
|
|
query to the variable $catid is not filtered
|
|
|
|
|
|
IV. EXPLOITATION
|
|
|
|
|
|
parameter [catid]:
|
|
|
|
//index.php?option=com_techfolio&view=techfoliodetail&catid=1[SQL]
|
|
|
|
[SQL]=injection sql
|
|
|
|
|
|
|
|
Discovered by.
|
|
Chris Russell |