AkoComment SQL injection vulnerability

Credit: Stefan Keller
Risk: Medium
Local: No
Remote: Yes

CVSS Base Score: 5.1/10
Impact Subscore: 6.4/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

AkoComment is a well known and widely used add-on for the Mambo and Joomla Content Management Systems. It allows users to post comments to articles. AkoComment 2.0 suffers from an SQL injection vulnerability (components/com_akocomment/akocomment.php): # Clear any HTML and SQL injections $title = strip_tags($title); $comment = strip_tags($comment); $title = mysql_escape_string($title); $comment = mysql_escape_string($comment); # Perform database query $date = date( "Y-m-d H:i:s" ); $ip = getenv('REMOTE_ADDR'); $query2 = "INSERT INTO #__akocomment SET contentid='$contentid', ip='$ip', name='$acname', title='$title', comment='$comment', date='$date', published='$ac_autopublish';"; $database->setQuery( $query2 ); $database->query(); While the user provided comment and comment title is properly sanitized, the client provided $acname and $contentid are not. These correspond to hidden, value-prefilled FORM variables in the akocomment created html form. It is widely known that just because the values are hidden and not changeable in a standard web browser doesn't mean they are not client provided and thus aren't trivially modified. Since the variables are not sanitized in any way the SQL injection itself is straight-forward, provided magic_quotes_gpc = off. Solution: To fix this vulnerability put the following lines before the "# Perform database query" line: $contentid = intval(strip_tags($contentid)); $acname = mysql_escape_string(strip_tags($acname)); -- Stefan Keller <skeller (at) pobox (dot) com [email concealed]>

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com


Back to Top