Title: XSS & SQLi in HugeIT slideshow v1.0.4 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2016-07-17 |
CVE-ID:[CVE-2016-1000117][CVE-2016-1000118] |
CWE: CWE-79 * SQL Injection Cross-Site Scripting (XSS) |
Download Site: http://extensions.joomla.org/extensions/extension/photos-a-images/slideshow/slideshow |
Vendor: www.hugeit.com |
Vendor Notified: 2016-07-17 |
Vendor Contact: info@huge-it.com |
Advisory: |
Description: Huge-IT Slideshow Extension is one of the powerful products that our company offers. It gives style and charm to your site and help to attract the attention of visitors to certain parts of the content. |
Vulnerability: The attacker must be logged in with at least manager level access or access to the administrative panel to exploit this vulnerability.
The following functions in ./models/slideshow.php are vulnerable to SQL injection as all parameters being passed to them are not sanitized:
51 public function getPropertie() {
52 $db = JFactory::getDBO();
53 $id_cat = JRequest::getVar('id');
54 $query = $db->getQuery(true);
55 $query->select('#__huge_itslideshow_images.name as name,'
56 . '#__huge_itslideshow_images.id ,'
57 . '#__huge_itslideshow_slideshows.name as portName,'
58 . 'slideshow_id, #__huge_itslideshow_images.description as description,image_url,sl_url,sl_type,link_target,#__huge_itslideshow_imag es.ordering,#__huge_itslideshow_images.published,published_in_sl_width');
59 $query->from(array('#__huge_itslideshow_slideshows' => '#__huge_it slideshow_slideshows', '#__huge_itslideshow_images' => '#__huge_itslidesho w_images'));
60 $query->where('#__huge_itslideshow_slideshows.id = slideshow_id')- >where('slideshow_id=' . $id_cat);
61 $query->order('ordering desc');
62 $db->setQuery($query);
63 $results = $db->loadObjectList();
64 return $results;
65 }
67 public function getImageByID() {
68 $db = JFactory::getDBO();
69 $id_cat = JRequest::getVar('id');
70 $query = $db->getQuery(true);
71 $query->select('*');
72 $query->from('#__huge_itslideshow_images');
73 $query->where('slideshow_id=' . $id_cat);
74 $db->setQuery($query);
75 $results = $db->loadObjectList();
76 return $results;
77 }
79 public function save($data) {
80 $db = JFactory::getDBO();
81 $result = $this->getPropertie();
82 $this->updarteSlideshow();
83 $this->selectStyle();
84 foreach ($result as $key => $value) {
85 $imageId = $value->id;
86 $id = $data['imageId'. $imageId];
87 $titleimage = $data['titleimage' . $imageId];
88 $im_description = $data['im_description'. $imageId];
89 $sl_url = $data['sl_url'. $imageId];
90 $sl_link_target = $data['sl_link_target'. $imageId];
91 $ordering = $data['order_by_'. $imageId];
92 $image_url = $data['image_url'. $imageId];
93
94 $query = $db->getQuery(true);
95 $query->update('#__huge_itslideshow_images')->set('name="' . $ titleimage . '"')->set('description="' . $im_description . '"')
96 ->set('sl_url="' . $sl_url . '"')->set('link_target="' . $sl_link_target . '"')
97 ->set('ordering="' . $ordering . '"')->set('image_url= "' . $image_url . '"')->where('id=' . $imageId);
98 $db->setQuery($query);
99 $db->execute();
The rest of the source files all have similar vulnerabilities:
./models/fields/slideshow.php
./models/slideshows.php
./models/video.php
./models/forms/general.php
./models/general.php
Refective XSS in ./views/slideshow/tmpl/default.php in id parameter.
117: <a class="modal" rel="{handler: 'iframe', size: {x: 800, y: 500}}" href="index.php?option=com_slideshow&view=video&tmpl=component&pid=<?php echo $_GET['id']; ?>" title="Video" > |
Export: JSON TEXT XML |
Exploit Code:
|
Screen Shots: |
Notes: |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory