Home / os / win7

Joomla Component Appointinator 1.0.1 Multiple Remote Vulnera

Posted on 27 July 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Joomla Component Appointinator 1.0.1 Multiple Remote Vulnerabilities</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>====================================================================
Joomla Component Appointinator 1.0.1 Multiple Remote Vulnerabilities
====================================================================


Appointinator 1.0.1 Joomla Component Multiple Remote Vulnerabilities
 
 Name              Appointinator
 Vendor            http://appointinator.chemeia.info
 Versions Affected 1.0.1
 
 Author            Salvatore Fresta aka Drosophila
 Website           http://www.salvatorefresta.net
 Contact           salvatorefresta [at] gmail [dot] com
 Date              2010-07-27
 
X. INDEX
 
 I.    ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.    FIX
  
 
I. ABOUT THE APPLICATION
________________________
 
Appointinator is a small and convenient component,  that
allows  you  to   start   appointment   polls  for  your
registered users.
 
 
II. DESCRIPTION
_______________
 
Some parameters  are not properly sanitised before being
used in SQL queries.  These  bugs  can be exploited from
registered users.
 
 
III. ANALYSIS
_____________
 
Summary:
 
 A) SQL Injection
 B) Blind SQL Injection
  
 
A) SQL Injection
________________
 
The parameter  aid passed to app.php when view is set to
App is not properly sanitised before being used in a SQL
query.  This can  be exploited to manipulate SQL queries
by injecting arbitrary SQL code.
 
 
B) Blind SQL Injection
______________________
 
The parameter aid passed to app.php via POST in the vote
form  is  not  properly sanitised before being used in a
SQL query by the store function. This can  be  exploited
to  manipulate  SQL  queries  by injecting arbitrary SQL
code.
 
 
IV. SAMPLE CODE
_______________
 
A) SQL Injection
 
http://site/path/index.php?option=com_appointinator&amp;view=App&amp;aid=-1 UNION SELECT 1,CONCAT(username,0x3A,password),3,4,5,6 FROM jos_users
 
 
V. FIX
______
 
No fix.


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-07-27]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :