| Title: Unauthenticated SQL Injection in Huge-IT Video Gallery v1.0.9 for Joomla |
| Author: Larry W. Cashdollar, @_larry0 |
| Date: 2016-09-15 |
| CVE-ID:[CVE-2016-1000123] |
| CWE: CWE-89 SQL Injection |
| Download Site: http://huge-it.com/joomla-video-gallery/ |
| Vendor: www.huge-it.com, fixed v1.1.0 |
| Vendor Notified: 2016-09-17 |
| Vendor Contact: info@huge-it.com |
| Advisory: http://www.vapidlabs.com/advisory.php?v=169 |
| Description: A video slideshow gallery. |
| Vulnerability: The following code does not prevent an unauthenticated user from injecting SQL into functions located in ajax_url.php.
Vulnerable Code in : ajax_url.php
11 define('_JEXEC',1);
12 defined('_JEXEC') or die('Restircted access');
.
.
.
28 if($_POST['task']=="load_videos_content"){
29
30 $page = 1;
31
32
33 if(!empty($_POST["page"]) && is_numeric($_POST['page']) && $_POST['page']>0){
34 $paramssld='';
35 $db5 = JFactory::getDBO();
36 $query5 = $db->getQuery(true);
37 $query5->select('*');
38 $query5->from('#__huge_it_videogallery_params');
39 $db->setQuery($query5);
40 $options_params = $db5->loadObjectList();
41 foreach ($options_params as $rowpar) {
42 $key = $rowpar->name;
43 $value = $rowpar->value;
44 $paramssld[$key] = $value;
45 }
46 $page = $_POST["page"];
47 $num=$_POST['perpage'];
48 $start = $page * $num - $num;
49 $idofgallery=$_POST['galleryid'];
50
51 $query = $db->getQuery(true);
52 $query->select('*');
53 $query->from('#__huge_it_videogallery_videos');
54 $query->where('videogallery_id ='.$idofgallery);
55 $query ->order('#__huge_it_videogallery_videos.ordering asc');
56 $db->setQuery($query,$start,$num);
|
| Export: JSON TEXT XML |
Exploit Code:
|
| Screen Shots: |
| Notes: |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory