Title: Unauthenticated SQL Injection in Huge-IT Portfolio Gallery Plugin v1.0.6 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2016-09-16 |
CVE-ID:[CVE-2016-1000124] |
CWE: CWE-89 SQL Injection |
Download Site: http://huge-it.com/joomla-portfolio-gallery/ |
Vendor: huge-it.com |
Vendor Notified: 2016-09-17 |
Vendor Contact: info@huge-it.com |
Advisory: http://www.vapidlabs.com/advisory.php?v=170 |
Description: Huge-IT Portfolio Gallery extension can do wonders with your website. If you wish to show your photos, videos, enclosing the additional images and videos, then this Portfolio Gallery extension is what you need. |
Vulnerability: The following lines allow unauthenticated users to perform SQL injection against the functions in ajax_url.php:
In file ajax_url.php:
11 define('_JEXEC',1);
12 defined('_JEXEC') or die('Restircted access');
.
.
.
49 $page = $_POST["page"];
50 $num=$_POST['perpage'];
51 $start = $page * $num - $num;
52 $idofgallery=$_POST['galleryid'];
53 $level = $_POST['level'];
54 $query = $db->getQuery(true);
55 $query->select('*');
56 $query->from('#__huge_itportfolio_images');
57 $query->where('portfolio_id ='.$idofgallery);
58 $query ->order('#__huge_itportfolio_images.ordering asc');
59 $db->setQuery($query,$start,$num);
|
Export: JSON TEXT XML |
Exploit Code:
|
Screen Shots: |
Notes: |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory