76 lines
No EOL
1.6 KiB
Text
76 lines
No EOL
1.6 KiB
Text
Appointinator 1.0.1 Joomla Component Multiple Remote Vulnerabilities
|
|
|
|
Name Appointinator
|
|
Vendor http://appointinator.chemeia.info
|
|
Versions Affected 1.0.1
|
|
|
|
Author Salvatore Fresta aka Drosophila
|
|
Website http://www.salvatorefresta.net
|
|
Contact salvatorefresta [at] gmail [dot] com
|
|
Date 2010-07-27
|
|
|
|
X. INDEX
|
|
|
|
I. ABOUT THE APPLICATION
|
|
II. DESCRIPTION
|
|
III. ANALYSIS
|
|
IV. SAMPLE CODE
|
|
V. FIX
|
|
|
|
|
|
I. ABOUT THE APPLICATION
|
|
________________________
|
|
|
|
Appointinator is a small and convenient component, that
|
|
allows you to start appointment polls for your
|
|
registered users.
|
|
|
|
|
|
II. DESCRIPTION
|
|
_______________
|
|
|
|
Some parameters are not properly sanitised before being
|
|
used in SQL queries. These bugs can be exploited from
|
|
registered users.
|
|
|
|
|
|
III. ANALYSIS
|
|
_____________
|
|
|
|
Summary:
|
|
|
|
A) SQL Injection
|
|
B) Blind SQL Injection
|
|
|
|
|
|
A) SQL Injection
|
|
________________
|
|
|
|
The parameter aid passed to app.php when view is set to
|
|
App is not properly sanitised before being used in a SQL
|
|
query. This can be exploited to manipulate SQL queries
|
|
by injecting arbitrary SQL code.
|
|
|
|
|
|
B) Blind SQL Injection
|
|
______________________
|
|
|
|
The parameter aid passed to app.php via POST in the vote
|
|
form is not properly sanitised before being used in a
|
|
SQL query by the store function. This can be exploited
|
|
to manipulate SQL queries by injecting arbitrary SQL
|
|
code.
|
|
|
|
|
|
IV. SAMPLE CODE
|
|
_______________
|
|
|
|
A) SQL Injection
|
|
|
|
http://site/path/index.php?option=com_appointinator&view=App&aid=-1 UNION SELECT 1,CONCAT(username,0x3A,password),3,4,5,6 FROM jos_users
|
|
|
|
|
|
V. FIX
|
|
______
|
|
|
|
No fix. |