Home / os / win7

RedShop 1.0.23.1 Joomla Component Blind SQL Injection Vulner

Posted on 15 July 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>RedShop 1.0.23.1 Joomla Component Blind SQL Injection Vulnerability</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>===================================================================
RedShop 1.0.23.1 Joomla Component Blind SQL Injection Vulnerability
===================================================================


RedShop 1.0.23.1 Joomla Component Blind SQL Injection Vulnerability

 Name              RedShop
 Vendor            http://redweb.dk
 Versions Affected 1.0.23.1

 Author            Salvatore Fresta aka Drosophila
 Website           http://www.salvatorefresta.net
 Contact           salvatorefresta [at] gmail [dot] com
 Date              2010-07-13

X. INDEX

 I.    ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.    FIX
 

I. ABOUT THE APPLICATION
________________________

RedShop is a popular and commercial Joomla component.
It  is  a Content Creation Kit style of webshop / webshop
tool where you got the most access ever given to any user
to  completely  style  around  and  change thier webshop,
without  alot  more knowledge then HTML and a bit of CSS.


II. DESCRIPTION
_______________

A parameter in the search form  is not properly sanitised
before being used in a SQL query.


III. ANALYSIS
_____________

Summary:

 A) Blind SQL Injection
 

A) Blind SQL Injection
______________________

The parameters viewform and id are not properly sanitised
The  parameter  keyword  is not properly sanitised before 
being  used  in  a  SQL  query. This  can be exploited to
manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation  requires that &quot;magic_quotes_gpc&quot;
is disabled. 


IV. SAMPLE CODE
_______________

A) Blind SQL Injection

Copy and past the following lines in the search form:

' AND (SELECT(IF(ASCII(0x41) = 64,false,NULL))) OR '
' AND (SELECT(IF(ASCII(0x41) = 65,true,NULL))) OR '


V. FIX
______

No fix.


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-07-15]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :