Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 01 Sep 2016 08:22:11 -0400
From: "Larry W. Cashdollar" <>
To: Open Source Security <>
Subject: Updated: XSS and SQLi in huge IT gallery v1.1.5 for Joomla

I thought I should share this here, this vulnerability doesn't require authentication to exploit it has been fixed in v1.1.6 not v1.1.7.

Title: XSS and SQLi in huge IT gallery v1.1.5 for Joomla
Author: Larry W. Cashdollar, @_larry0 Elitza Neytcheva, @E1337za 
Date: 2016-07-14
Download Site:
Vendor Notified: 2016-07-15, fixed v1.1.6
Vendor Contact:
Description: The plugin allows you to add multiple images to the gallery, create countless galleries, add a description to each of them, as well as make the same things with video links.
The attacker does not need to be logged in to Joomla to exploit this vulnerability:

SQL in code via id parameter:
51     public function getPropertie() {
52         $db = JFactory::getDBO();
53         $id_cat = JRequest::getVar('id');
54         $query = $db->getQuery(true);
55         $query->select(' as name,'
56                 . ' ,'
57                 . ' as portName,'
58                 . 'gallery_id, #__huge_itgallery_images.description as description,image_url,sl_url,sl_type,link_target,#__huge_itg    allery_images.ordering,#__huge_itgallery_images.published,published_in_sl_width');
59         $query->from(array('#__huge_itgallery_gallerys' => '#__huge_itgallery_gallerys', '#__huge_itgallery_images' => '#__huge_itg    allery_images'));
60         $query->where(' = gallery_id')->where('gallery_id=' . $id_cat);
61         $query->order('ordering desc');
64         $db->setQuery($query);
65         $results = $db->loadObjectList();
66         return $results;
67     }

XSS is here:

root@...mla:/var/www/html# find . -name "*.php" -exec grep -l "echo \$_GET" {} \;
root@...mla:/var/www/html# find . -name "*.php" -exec grep -n "echo \$_GET" {} \;
256:                    <a class="modal" rel="{handler: 'iframe', size: {x: 800, y: 500}}" href="index.php?option=com_gallery&view=video&tmpl=component&pid=<?php echo $_GET['id']; ?>" title="Image" >

CVE-2016-1000113 SQLi
CVE-2016-1000114 XSS
Google Dork:
inurl:option=com_gallery inurl:id

Exploit Code:
XSS PoC;%3C/script%3E
$ sqlmap -u "*" --dbms mysql

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ