Re: Joomla com_tag v1.7.6 - (tag) SQL Injection Vulnerability

[Brandon Perry <bperry.volatile () gmail com>]

> On May 3, 2017, at 6:07 AM, Vulnerability Lab <research () vulnerability-lab com> wrote:
>
> Document Title:
> ===============
> Joomla com_tag v1.7.6 - (tag) SQL Injection Vulnerability
>
>
> References (Source):
> ====================
> https://www.vulnerability-lab.com/get_content.php?id=2061
>
> IEDB: http://iedb.ir/exploits-7454.html
>
>
> Release Date:
> =============
> 2017-05-02
>
>
> Vulnerability Laboratory ID (VL-ID):
> ====================================
> 2061
>
>
> Common Vulnerability Scoring System:
> ====================================
> 6.6
>
>
> Vulnerability Class:
> ====================
> SQL Injection
>
>
> Product & Service Introduction:
> ===============================
> Tag Meta allows to efficiently manage all site`s meta information. With Tag Meta, as example, it is possible to set 
> the
> tag `title` or the meta tags (e.g. from the most common `description`, `keywords`, `robots`, as well as the recently
> `content rights` and `external reference`) or link `canonical` on any page, just specifying the URL or a part of it.
> This provides a swiss army knife to improve site positioning in SEO optimization. But Tag Meta also supports regular
> expressions in the matching rules and this allows to match a group of URLs with a single rule. In this way it is
> possible to manage metadata from a single control panel.
>
> (Copy of the Homepage: https://extensions.joomla.org/extension/tag-meta/ )
>
>
> Abstract Advisory Information:
> ==============================
> An independent vulnerability laboratory partner team discovered a sql-injection vulnerability in the official Joomla 
> CMS com_tag (meta) component.

How is this the *official* Joomla CMS com_tag when it is provided by a third party developer? Also, the component 
linked uses the name com_tagmeta in it’s HTTP requests, not com_tag. I am unable to reproduce the issue you are 
describing. This whole disclosure is confusing.

> Vulnerability Disclosure Timeline:
> ==================================
> 2017-05-02: Public Disclosure (Vulnerability Laboratory)
>
>
> Discovery Status:
> =================
> Published
>
>
> Affected Product(s):
> ====================
> SelfGet
> Product: Joomla com_tag (Meta) Components - (Community) 1.7.6
>
>
> Exploitation Technique:
> =======================
> Remote
>
>
> Severity Level:
> ===============
> High
>
>
> Technical Details & Description:
> ================================
> A remote sql-injection web vulnerability has been discovered in the official Joomla CMS com_tag (meta) component.
> The issue allows remote attackers to execute own malicious sql commands to compromise the web-application or dbms.
>
> The sql-injection vulnerability is located in the `tag` parameter of the `com_tag` joomla web module. The request 
> method
> to execute is GET and the attack vector is client-side. Remote attackers are able to inject own malicious sql commands
> via vulnerable `tag` parameter to compromise the web-application or dbms. The web vulnerability is a classic 
> sql-injection
> in the joomla content management system `com_tag (meta)` component.
>
> The security risk of the vulnerability is estimated as high with a common vulnerability scoring system count of 6.6.
> Exploitation of the sql-injection vulnerability requires no privilege web-application user account or user 
> interaction.
> Successful exploitation of the web vulnerability results in web-application or database management system compromise.
>
> Request Method(s):
> [+] GET
>
> Vulnerable Components(s):
> [+] com_tag (joomla)
>
> Vulnerable File(s):
> [+] index.php
>
> Vulnerable Parameter(s):
> [+] tag (&tag)
>
>
> Proof of Concept (PoC):
> =======================
> The sql-injection web vulnerability can be exploited by remote attackers without privilege web-application user 
> account
> or user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and
> steps below to continue.
>
>
> Dork(s):
> inurl:index.php?option=com_tag
>
>
> PoC: Exploitation
> http://localhost:8080/[PATH]/index.php?option=com_tag&task=tag&tag=-`[SQL-Injection Vulnerability!]--
>
>
> Security Risk:
> ==============
> The security risk of the sql-injection web vulnerability in the joomla component is estimated as high (CVSS 6.6).
>
>
> Credits & Authors:
> ==================
> Amir - Iranian Exploit Database (www.iedb.ir) [http://www.vulnerability-lab.com/show.php?user=IEDB%20Team]
>
> Thanks: C0dex,B3hz4d,Beni_vanda,Mr_time,Bl4ck M4n,black_security,Yasser,Ramin Assadian,Black_Nofuzi,SecureHost,
> 1TED,Mr_Kelever,Mr_keeper,Mahmod,Iedb,Khashayar,B3hz4d4,Shabgard,Cl09er, Be_lucky,Moslem Haghighian,Dr_Iman,8Bit,
> Javid,Esmiley_Amir,Mahdi_feizezade,Amin_Zohrabi,Shellshock3 and all my friends + all members of the Iedb.Ir Team.
>
>
> Disclaimer & Information:
> =========================
> The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all 
> warranties, either expressed or
> implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or 
> its suppliers are not liable in any
> case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, 
> even if Vulnerability Labs or its
> suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation 
> of liability mainly for incidental
> or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break 
> any licenses, policies, deface
> websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership 
> requests. We do not publish advisories
> or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not 
> publish trade researcher mails,
> phone numbers, conversations or anything else to journalists, investigative authorities or private individuals.
>
> Domains:    www.vulnerability-lab.com         - www.vulnerability-db.com                                      - 
> www.evolution-sec.com
> Programs:   vulnerability-lab.com/submit.php  - vulnerability-lab.com/list-of-bug-bounty-programs.php         - 
> vulnerability-lab.com/register.php
> Feeds:            vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php                    
> - vulnerability-lab.com/rss/rss_news.php
> Social:           twitter.com/vuln_lab                - facebook.com/VulnerabilityLab                                 
> - youtube.com/user/vulnerability0lab
>
> Any modified copy or reproduction, including partially usages, of this file, resources or information requires 
> authorization from Vulnerability Laboratory.
> Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including 
> the use of other media, are reserved by
> Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other 
> information on this website is trademark
> of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material 
> contact (admin@) to get an ask permission.
>
>                                   Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™
>
>
>
> --
> VULNERABILITY LABORATORY - RESEARCH TEAM
> SERVICE: www.vulnerability-lab.com
>
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

Attachment: signature.asc
Description: Message signed with OpenPGP

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/