Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Sql injection in Mambo & Joomla

From: "Omid" <omid () hackers ir>
Date: Sat, 26 Aug 2006 01:48:20 +0430
Hi,
There are several sql injections in Mambo 4.6 RC2 & Joomla 1.0.10 (and maybe
other versions) :
[The codes are from Mambo 4.6 RC2 & some may be different in Joomla]

*) When a user edits a content, the "id" parameter is not checked properly
in /components/com_content/content.php, which can cause 2 sql injections .

*) The "limit" parameter in the administration section is not checked. This
affects many pages of administration section :

File /administrator/modules/mod_logged.php, Line 45 :
:: $query = "SELECT *"
:: . "\n FROM #__session"
:: . "\n WHERE userid != 0"
:: . $_and
:: . "\n ORDER BY usertype, username"

. "\n LIMIT $pageNav->limitstart, $pageNav->limit"

:: ;

Also :
File /administrator/components/com_content/admin.content.php, Line 212 :
::      . "\n LIMIT $pageNav->limitstart,$pageNav->limit"

And many others .

*) In the administration section, while editing/creating a user, the "gid"
parameter is not checked properly :

File /administrator/components/com_users/admin.users.php, Line 260 :
::      $query = "SELECT name"
::      . "\n FROM #__core_acl_aro_groups"

     . "\n WHERE group_id = $row->gid"


And the second injection :
File /includes/gacl_api.class.php, Line 675 :
:: $this->db->setQuery( '
::      SELECT          g.group_id,o.'. $group_type .'_id,gm.group_id AS member
::      FROM            '. $object_table .' o

     LEFT JOIN       '. $group_table .' g ON g.group_id='. $group_id .'

::      LEFT JOIN       '. $table .' gm ON (gm.group_id=g.group_id AND gm.'. $group_type .'_id=o.'. $group_type .'_id)
::      WHERE           (o.section_value=\''. $this->db->getEscaped($object_section_value) .'\' AND o.value=\''. 
$this->db->getEscaped($object_value) .'\')'
:: );

And the third :
File /includes/gacl_api.class.php, Line 704 :
:: $this->db->setQuery( 'INSERT INTO '. $table .' (group_id,'. $group_type .'_id) VALUES ('. $group_id .','. $object_id 
.')' );


The original and complete advisory (in Persian), is located at :
http://www.hackers.ir/advisories/mambo-joomla.html


- Omid
Previous By Date Next
Previous By Thread Next

Current thread: