Title: Unauthenticated SQL Injection in Huge-IT Catalog v1.0.7 for Joomla |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2016-09-16 |
CVE-ID:[CVE-2016-1000125] |
CWE: CWE-89 SQL Injection |
Download Site: http://huge-it.com/joomla-catalog/ |
Vendor: huge-it.com |
Vendor Notified: 2016-09-17 |
Vendor Contact: info@huge-it.com |
Advisory: http://www.vapidlabs.com/advisory.php?v=171 |
Description: Huge-IT Product Catalog is made for demonstration, sale, advertisements for your products. Imagine a stand with a variety of catalogs with a specific product category. To imagine is not difficult, to use is even easier. |
Vulnerability: The following code does not prevent an unauthenticated user from injecting SQL into functions via 'load_more_elements_into_catalog' located in ajax_url.php.
Vulnerable Code in : ajax_url.php
11 define('_JEXEC', 1);
12 defined('_JEXEC') or die('Restircted access');
.
.
.
308 } elseif ($_POST["post"] == "load_more_elements_into_catalog") {
309 $catalog_id = $_POST["catalog_id"];
310 $old_count = $_POST["old_count"];
311 $count_into_page = $_POST["count_into_page"];
312 $show_thumbs = $_POST["show_thumbs"];
313 $show_description = $_POST["show_description"];
314 $show_linkbutton = $_POST["show_linkbutton"];
315 $parmalink = $_POST["parmalink"];
316 $level = $_POST['level'];
.
.
.
359 $query->select('*');
360 $query->from('#__huge_it_catalog_products');
361 $query->where('catalog_id =' . $catalog_id);
362 $query->order('ordering asc');
363 $db->setQuery($query, $from, $count_into_page); |
Export: JSON TEXT XML |
Exploit Code:
|
Screen Shots: |
Notes: |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory