Joomla Youtube Gallery 4.1.7 SQL Injection

2014.07.17
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: Joomla component com_youtubegallery - SQL Injection vulnerability # Google Dork: inurl:index.php?option=com_youtubegallery # Date: 15-07-2014 # Exploit Author: Pham Van Khanh (phamvankhanhbka@gmail.com) # Vendor Homepage: http://www.joomlaboat.com/youtube-gallery # Software Link: http://www.joomlaboat.com/youtube-gallery # Version: 4.x ( 3.x maybe) # Tested on: newest version 4.1.7 on Joomla 1.5, 2.5, 3 # CVE : CVE-2014-4960 Detail: In line: 40, file: components\com_youtubegallery\models\gallery.php, if parameter listid is int (or can cast to int), $listid and $themeid will not santinized. Source code: 40: if(JRequest::getInt('listid')) 41: { 42: //Shadow Box 43: $listid=JRequest::getVar('listid'); 44: 45: 46: //Get Theme 47: $m_themeid=(int)JRequest::getVar('mobilethemeid'); 48: if($m_themeid!=0) 49: { 50: if(YouTubeGalleryMisc::check_user_agent('mobile')) 51: $themeid=$m_themeid; 52: else 53: $themeid=JRequest::getVar('themeid'); 54: } 55: else 56: $themeid=JRequest::getVar('themeid'); 57: } After, $themeid and $listid are used in line 86, 92. Two method getVideoListTableRow and getThemeTableRow concat string to construct sql query. So it is vulnerable to SQL Injection. Source code: 86: if(!$this->misc->getVideoListTableRow($listid)) 87: { 88: echo '<p>No video found</p>'; 89: return false; 90: } 91: 92: if(!$this->misc->getThemeTableRow($themeid)) 93: { 94: echo '<p>No video found</p>'; 95: return false; 96: } # Site POF: http://server/index.php?option=com_youtubegallery&view=youtubegallery&listid=1&themeid=1'&videoid=ETMVUuFbToQ&tmpl=component&TB_iframe=true&height=500&width=700


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top