Joomla! Component ArtForms 2.1b7.2 rc2 – Multiple Vulnerabilities

• Exploit Database
• 32 阅读

• 作者： Salvatore Fresta
  日期： 2010-07-07
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/14263/

• ArtForms 2.1b7.2 RC2 Joomla Component Multiple Remote Vulnerabilities
  
   NameArtForms
   Vendorhttp://joomlacode.org/gf/project/jartforms/
   Versions Affected 2.1b7.2 RC2
  
   AuthorSalvatore Fresta aka Drosophila
   Website http://www.salvatorefresta.net
   Contact salvatorefresta [at] gmail [dot] com
   Date2010-07-07
  
  X. INDEX
  
   I.ABOUT THE APPLICATION
   II. DESCRIPTION
   III.ANALYSIS
   IV. SAMPLE CODE
   V.FIX
   
  
  I. ABOUT THE APPLICATION
  ________________________
  
  ArtForms is a popular Joomla component.
  The ArtForms componentisapackagefor an easy From
  Generator for Joomla 1.0.xx. Itallowsyou to generate
  asmuchFormsasyou like, you can define all fields
  thatyouneed and also make file upload and attachment
  possible.
  
  
  II. DESCRIPTION
  _______________
  
  Some parameters are not sanitisedbeforebeingused in
  SQL queries and in danger PHP's functions.
  The vulnerabilities are reported in version2.1b7.2 RC2. 
  Other versions may also be affected.
  
  
  III. ANALYSIS
  _____________
  
  Summary:
  
   A) Multiple SQL Injection
   B) Directory Traversal
   C) Reflected XSS
   
  
  A) Multiple SQL Injection
  _________________________
  
  The parameters viewform and id are not properly sanitised
  before being used in a SQL query.This can be exploited to
  manipulate SQL queries by injecting arbitrary SQL code.
  
  
  B) Directory Traversal
  ______________________
  
  Thelparameterinalikon/captcha.php is not properly
  sanitised before being used to create a pathfora file
  that will be downloaded.This can be exploited to download
  arbitraryfilesfrom localresourcesviadirectory 
  traversalattacks.
  
  
  C) Reflected XSS
  ________________
  
  Theafmsgparameterisnotproperly sanitised before
  being printed.This allows the execution of arbitrary HTML
  code.
  
  
  IV. SAMPLE CODE
  _______________
  
  A) Multiple SQL Injection
  
  index.php?option=com_artforms&task=ferforms&viewform=1 UNION SELECT 1,2,3,4,5,6%23
  index.php?option=com_artforms&task=vferforms&id=1 UNION SELECT 1,2,3,4,5,6%23
  index.php?option=com_artforms&task=tferforms&viewform=1 UNION SELECT 1,2,3,4,5,6%23
  
  
  B) Directory Traversal
  
  http://site/path/components/com_artforms/assets/captcha/includes/alikon/playcode.php?l=../../../../../../../../../../../../etc/passwd%00
  
  
  C) Reflected XSS
  
  index.php?option=com_artforms&formid=1&afmsg=<script>alert('xss');</script>
  
  
  V. FIX
  ______
  
  No fix.