BugTraq
Canteen Joomla Component 1.0 Multiple Remote Vulnerabilities Jul 04 2010 12:22PM
Salvatore Fresta aka Drosophila (drosophilaxxx gmail com)

Canteen Joomla Component 1.0 Multiple Remote Vulnerabilities

Name Canteen
Vendor http://www.miniwork.eu
Versions Affected 1.0

Author Salvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net
Contact salvatorefresta [at] gmail [dot] com
Date 2010-04-07

X. INDEX

I. ABOUT THE APPLICATION
II. DESCRIPTION
III. ANALYSIS
IV. SAMPLE CODE
V. FIX

I. ABOUT THE APPLICATION

Canteen is a Joomla 1.5 component.
This component is written for canteens. You can easily
manage daily menu with this component.

II. DESCRIPTION

Some parameters are not sanitised before being used in
SQL queries and in danger PHP's functions.

III. ANALYSIS

Summary:

A) Local File Inclusion
B) Multiple Blind SQL Injection

A) Local File Inclusion

The controller parameter in canteen.php is not sanitised
before being used in the PHP function's require_once().
This allows a guest to include local files. The following
is the affected code:

if($controller = JRequest::getVar('controller')) {

require_once (JPATH_COMPONENT.DS.'controllers'.DS.$controller.'.php');

}

B) Multiple Blind SQL Injection

The meailid parameter in menu.php is not properly
before being used in multiple SQL queries. This can be
exploited to manipulate SQL queries by injecting
arbitrary SQL code. The following is the affected code:

$mealid = JRequest::getVar('mealid');
$SQLQuery = "INSERT INTO #__miniwork_canteen_order (jo_userid, jo_mealid, jo_created, jo_createdby, jo_changed, jo_changedby)
VALUES (".$user->id.", ".$mealid.", NOW(), '".$user->sSecondName." ".$user->sFirstName."', NOW(), '".$user->sSecondName." ".$user->sFirstName."')";


$mealid = JRequest::getVar('mealid');
$SQLQuery = "DELETE FROM #__miniwork_canteen_order WHERE jo_mealid = ".$mealid." AND jo_userid = ".$orduser->id.";";

$mealid = JRequest::getVar('mealid');
$SQLQuery = "UPDATE #__miniwork_canteen_order SET jo_userid = ".$orduser->id.", jo_changed=NOW(), jo_changedby='".$orduser->sSecondName." ".$orduser->sFirstName."' WHERE jo_mealid=".$mealid." AND jo_userid is null LIMIT 1;";

IV. SAMPLE CODE

A) Local File Inclusion

http://site/path/index.php?option=com_canteen&controller=../../../../../
etc/passwd%00

V. FIX

Checking for path traversal sequence and useing of PHP
function's intval() for integer values.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus