Title: Unauthenticated SQL Injection in Huge-IT Video Gallery v1.0.9 for Joomla |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2016-09-15 |
CVE-ID:[CVE-2016-1000123] |
CWE: CWE-89 SQL Injection |
Download Site: http://huge-it.com/joomla-video-gallery/ |
Vendor: www.huge-it.com, fixed v1.1.0 |
Vendor Notified: 2016-09-17 |
Vendor Contact: info@huge-it.com |
Advisory: http://www.vapidlabs.com/advisory.php?v=169 |
Description: A video slideshow gallery. |
Vulnerability: The following code does not prevent an unauthenticated user from injecting SQL into functions located in ajax_url.php.
Vulnerable Code in : ajax_url.php
11 define('_JEXEC',1);
12 defined('_JEXEC') or die('Restircted access');
.
.
.
28 if($_POST['task']=="load_videos_content"){
29
30 $page = 1;
31
32
33 if(!empty($_POST["page"]) && is_numeric($_POST['page']) && $_POST['page']>0){
34 $paramssld='';
35 $db5 = JFactory::getDBO();
36 $query5 = $db->getQuery(true);
37 $query5->select('*');
38 $query5->from('#__huge_it_videogallery_params');
39 $db->setQuery($query5);
40 $options_params = $db5->loadObjectList();
41 foreach ($options_params as $rowpar) {
42 $key = $rowpar->name;
43 $value = $rowpar->value;
44 $paramssld[$key] = $value;
45 }
46 $page = $_POST["page"];
47 $num=$_POST['perpage'];
48 $start = $page * $num - $num;
49 $idofgallery=$_POST['galleryid'];
50
51 $query = $db->getQuery(true);
52 $query->select('*');
53 $query->from('#__huge_it_videogallery_videos');
54 $query->where('videogallery_id ='.$idofgallery);
55 $query ->order('#__huge_it_videogallery_videos.ordering asc');
56 $db->setQuery($query,$start,$num);
|
Export: JSON TEXT XML |
Exploit Code:
|
Screen Shots: |
Notes: |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory