Canteen Joomla Component 1.0 Multiple Remote Vulnerabilities

2011.11.04
Credit: drosophilaxxx
Risk: High
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Canteen Joomla Component 1.0 Multiple Remote Vulnerabilities Name Canteen Vendor http://www.miniwork.eu Versions Affected 1.0 Author Salvatore Fresta aka Drosophila Website http://www.salvatorefresta.net Contact salvatorefresta [at] gmail [dot] com Date 2010-04-07 X. INDEX I. ABOUT THE APPLICATION II. DESCRIPTION III. ANALYSIS IV. SAMPLE CODE V. FIX I. ABOUT THE APPLICATION Canteen is a Joomla 1.5 component. This component is written for canteens. You can easily manage daily menu with this component. II. DESCRIPTION Some parameters are not sanitised before being used in SQL queries and in danger PHP's functions. III. ANALYSIS Summary: A) Local File Inclusion B) Multiple Blind SQL Injection A) Local File Inclusion The controller parameter in canteen.php is not sanitised before being used in the PHP function's require_once(). This allows a guest to include local files. The following is the affected code: if($controller = JRequest::getVar('controller')) { require_once (JPATH_COMPONENT.DS.'controllers'.DS.$controller.'.php'); } B) Multiple Blind SQL Injection The meailid parameter in menu.php is not properly before being used in multiple SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The following is the affected code: $mealid = JRequest::getVar('mealid'); $SQLQuery = "INSERT INTO #__miniwork_canteen_order (jo_userid, jo_mealid, jo_created, jo_createdby, jo_changed, jo_changedby) VALUES (".$user->id.", ".$mealid.", NOW(), '".$user->sSecondName." ".$user->sFirstName."', NOW(), '".$user->sSecondName." ".$user->sFirstName."')"; $mealid = JRequest::getVar('mealid'); $SQLQuery = "DELETE FROM #__miniwork_canteen_order WHERE jo_mealid = ".$mealid." AND jo_userid = ".$orduser->id.";"; $mealid = JRequest::getVar('mealid'); $SQLQuery = "UPDATE #__miniwork_canteen_order SET jo_userid = ".$orduser->id.", jo_changed=NOW(), jo_changedby='".$orduser->sSecondName." ".$orduser->sFirstName."' WHERE jo_mealid=".$mealid." AND jo_userid is null LIMIT 1;"; IV. SAMPLE CODE A) Local File Inclusion http://site/path/index.php?option=com_canteen&controller=../../../../../ etc/passwd%00 V. FIX Checking for path traversal sequence and useing of PHP function's intval() for integer values.

References:

http://xforce.iss.net/xforce/xfdb/60103
http://www.securityfocus.com/bid/41358
http://www.securityfocus.com/archive/1/archive/1/512170/100/0/threaded
http://www.salvatorefresta.net/files/adv/Canteen%20Joomla%20Component%201.0%20Multiple%20Remote%20Vulnerabilities-04072010.txt
http://secunia.com/advisories/40503
http://packetstormsecurity.org/1007-exploits/joomlacanteen-lfisql.txt
http://osvdb.org/66031


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top