Joomla! Component com_appointinator 1.0.1 – Multiple Vulnerabilities

• Exploit Database
• 113 阅读

• 作者： Salvatore Fresta
  日期： 2010-07-27
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/14488/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77

  Appointinator 1.0.1 Joomla Component Multiple Remote Vulnerabilities   NameAppointinator Vendorhttp://appointinator.chemeia.info Versions Affected 1.0.1   AuthorSalvatore Fresta aka Drosophila Website http://www.salvatorefresta.net Contact salvatorefresta [at] gmail [dot] com Date2010-07-27   X. INDEX   I.ABOUT THE APPLICATION II. DESCRIPTION III.ANALYSIS IV. SAMPLE CODE V.FIX   I. ABOUT THE APPLICATION ________________________   Appointinator is a small and convenient component,that allowsyouto start appointment pollsforyour registered users.     II. DESCRIPTION _______________   Some parametersare not properly sanitised before being used in SQL queries.Thesebugscan be exploited from registered users.     III. ANALYSIS _____________   Summary:   A) SQL Injection B) Blind SQL Injection   A) SQL Injection ________________   The parameteraid passed to app.php when view is set to App is not properly sanitised before being used in a SQL query.This canbe exploited to manipulate SQL queries by injecting arbitrary SQL code.     B) Blind SQL Injection ______________________   The parameter aid passed to app.php via POST in the vote formisnotproperly sanitised before being used in a SQL query by the store function. This canbeexploited tomanipulateSQLqueriesby injecting arbitrary SQL code.     IV. SAMPLE CODE _______________   A) SQL Injection   http://site/path/index.php?option=com_appointinator&view=App&aid=-1 UNION SELECT 1,CONCAT(username,0x3A,password),3,4,5,6 FROM jos_users     V. FIX ______   No fix.