Visitors Google Map 1.0.1 remote SQL injection vulnerability

2010.09.14

Credit: Chip D3 Bi0s

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-89

Visitors Google Map Lite 1.0.1 (FREE) (module mod_visitorsgooglemap Remote Sql Injection)
=========================================================================================
 
- Discovered by : Chip D3 Bi0s
- Email         : chipdebios[at]gmail[dot]com
- Group         : LatinHackTeam
- Date          : 2010-09-08
- Where         : From Remote
 
-------------------------------------------------------------------------------------
Affected software description
 
Application     : Visitors Google Map Lite 1.0.1 (FREE) (module:mod_visitorsgooglemap)
Developer       : Serdar Gkkus
Compatibility   : Joomla 1.5 Native
License         : GPLv2 or later
Date Added      : Sunday August 29, 2010 01:14:14
Download        : http://www.comlantis.com/download/doc_download/2-visitors-google-map-lite-101-free.html
 
I. BACKGROUND
 
This extension tracks visitors of your site in real time and displays their
locations in Google Map. It uses three main technologies:
 
- Map API of Google
- AJAX
- IP geolocation API of IPInfoDB
 
Content of VisitorsGoogeMap Package:
This extension contains one Joomla Compoment and two Joomla Modules.
 
com_visitorsgooglemap: This component is responsible for the creation
                       database table during installation and remove
                       it clearly in case of uninstallation.
 
mod_visitorsgooglemap: This module is responsible for the display of
                       Google Map in desired module position in your
                       template and track the visitors of your Joomla
                       page in the map.
 
mod_visitorsgooglemap_agent: This module is responsible for the updating
                             visitors information in the database.
 
II. DESCRIPTION
 
Some sql injecton vulnerabilities exist in mod_visitorsgooglemap module .
 
 
III. ANALYSIS
 
The bug is in the following files, specifying the lines
 
/mod_visitorsgooglemap/map_data.php
 
 
[16] [if ($_GET['action'] == 'listpoints')
[17]        {
[18]            $lastMarkerID = $_GET['lastMarkerID'];
[19]            ini_set('default_mimetype','text/xml'); // manchmal notwendig
[20]            header ('Content-Type: text/xml'); // reicht nicht immer
[21]            echo '<?xml version="1.0" ?>';
[22]            echo '<xmlresponse>';
[23]        $database =& JFactory::getDBO();
[24]        $query = "SELECT * FROM #__visitorsgooglemap_location where id > $lastMarkerID order by id";
 
 Explanation:As noted in the line [24] $ lastMarkerID
 nowhere is filtered, which result in a query pede unexpected
 
 
IV. EXPLOITATION
 
http://site/path/modules/mod_visitorsgooglemap/map_data.php?action=listpoints&lastMarkerID=0{sql}
 
 
 
 
+++++++++++++++++++++++++++++++++++++++
[!] Produced in South America
+++++++++++++++++++++++++++++++++++++++

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Visitors Google Map 1.0.1 remote SQL injection vulnerability

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.