Joomla.it Forum

Non solo Joomla... => Sicurezza => : vamba 04 Jul 2010, 17:49:21

: [Non verificato] Joomla Phoca Gallery Component SQL Injection Vulnerability
: vamba 04 Jul 2010, 17:49:21

La release in questione è la 2.7.3 ma è molto probabile che anche le precedenti abbiano lo stesso problema.
Si consiglia di controllare un possibile aggiornamento a breve da parte dello sviluppatore.
http://www.phoca.cz/download/category/1-phoca-gallery-component

:

[+] Dork: inurl:"com_phocagallery"
 
==========================================
 
 
[+].  SQL-i Vulnerability
=+=+=+=+=+=+=+=+=+
 
[Exploit]:  http://server/path/index.php?option=com_phocagallery&view=categories&Itemid=[SQL Injection]

: Re:Joomla Phoca Gallery Component (com_phocagallery) SQL Injection Vulnerability
: mau_develop 04 Jul 2010, 18:37:13

secondo me non funziona

M.

: Re:Joomla Phoca Gallery Component (com_phocagallery) SQL Injection Vulnerability
: jeckodevelopment 04 Jul 2010, 19:53:35

ho provato il testo così com'è ma mi da solo una visualizzazione per categoria... mah

: Re:Joomla Phoca Gallery Component (com_phocagallery) SQL Injection Vulnerability
: mau_develop 04 Jul 2010, 22:48:55

qualunque itemid di joomla da un falso positivo ad uno scanner.

se ben mi ricordo con l'itemid dell'ordinamento hai pure la restituzione di un errore dove vedi delle path... ricordi Marco?
 ...era uno dei primi pm che ti ho inviato :)

M.

: Re:Joomla Phoca Gallery Component (com_phocagallery) SQL Injection Vulnerability
: H13 05 Jul 2010, 11:34:29

Hi,

From the url which is taken as exploit:
http://server/path/index.php?option=com ... es&Itemid=[SQL Injection]

I cannot find any not protected Itemid section in Phoca Gallery:

Categories View:
::view.html.php
- line 155 - JRequest::getVar('Itemid', 0, '', 'int') - protected by integer
:: there is no controller for this view
:: model does not include any itemid request

PhocaGalleryRoute Class:
Both codes:

:

$currentItemId    = JRequest::getVar('Itemid', 0, '', 'int');
     
      if(!$items) {
         return JRequest::getVar('Itemid', 0, '', 'int');
      }

are protected by integer.

So for now I see no place where the exploit can be used.

I will do more tests (but I looked at the whole categories view, route helper file and all the libraries).


Jan

: Re:Joomla Phoca Gallery Component (com_phocagallery) SQL Injection Vulnerability
: mau_develop 05 Jul 2010, 12:15:08

yeah man :) I think it 's only a kiddie and the target its not clear.. or he was only stupid.

've you seen and deobfuscate the shell code?

M.

: Re:Joomla Phoca Gallery Component (com_phocagallery) SQL Injection Vulnerability
: jeckodevelopment 05 Jul 2010, 12:42:23

abbiamo il piacere di avere lo sviluppatore di Phoca Gallery.
Siamo tranquilli dopo la sua rassicurazione riguardo l'ipotetica vulnerabilità.

Hi H13, welcome to Joomla.it forum, we're  pleased to receive your direct interest in this hypotetical vulnerability that could be affect your Phoca Gallery extension.

: Re:Joomla Phoca Gallery Component (com_phocagallery) SQL Injection Vulnerability
: H13 05 Jul 2010, 14:10:57

Hi,

've you seen and deobfuscate the shell code?

not sure what you exactly mean but as the itemid request is protected by integer (it means all strings, include some exploit sql query, will be translated to integer - number), there should not be any problem with any used method (if shell or other method).

: Re:Joomla Phoca Gallery Component (com_phocagallery) SQL Injection Vulnerability
: mau_develop 05 Jul 2010, 14:49:24

sorry, I've confused with this
http://forum.joomla.it/index.php/topic,107941.0.html

M.

: Re:[Non verificato] Joomla Phoca Gallery Component SQL Injection Vulnerability
: vamba 05 Jul 2010, 17:09:27

Issue moved on no verified status.

Oggetto spostato nello stato non verificato.