Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 01 Sep 2016 08:22:11 -0400
From: "Larry W. Cashdollar" <>
To: Open Source Security <>
Subject: Updated: XSS and SQLi in huge IT gallery v1.1.5 for Joomla

I thought I should share this here, this vulnerability doesn't require authentication to exploit it has been fixed in v1.1.6 not v1.1.7.

Title: XSS and SQLi in huge IT gallery v1.1.5 for Joomla
Author: Larry W. Cashdollar, @_larry0 Elitza Neytcheva, @E1337za 
Date: 2016-07-14
Download Site:
Vendor Notified: 2016-07-15, fixed v1.1.6
Vendor Contact:
Description: The plugin allows you to add multiple images to the gallery, create countless galleries, add a description to each of them, as well as make the same things with video links.
The attacker does not need to be logged in to Joomla to exploit this vulnerability:

SQL in code via id parameter:
51     public function getPropertie() {
52         $db = JFactory::getDBO();
53         $id_cat = JRequest::getVar('id');
54         $query = $db->getQuery(true);
55         $query->select(' as name,'
56                 . ' ,'
57                 . ' as portName,'
58                 . 'gallery_id, #__huge_itgallery_images.description as description,image_url,sl_url,sl_type,link_target,#__huge_itg    allery_images.ordering,#__huge_itgallery_images.published,published_in_sl_width');
59         $query->from(array('#__huge_itgallery_gallerys' => '#__huge_itgallery_gallerys', '#__huge_itgallery_images' => '#__huge_itg    allery_images'));
60         $query->where(' = gallery_id')->where('gallery_id=' . $id_cat);
61         $query->order('ordering desc');
64         $db->setQuery($query);
65         $results = $db->loadObjectList();
66         return $results;
67     }

XSS is here:

root@...mla:/var/www/html# find . -name "*.php" -exec grep -l "echo \$_GET" {} \;
root@...mla:/var/www/html# find . -name "*.php" -exec grep -n "echo \$_GET" {} \;
256:                    <a class="modal" rel="{handler: 'iframe', size: {x: 800, y: 500}}" href="index.php?option=com_gallery&view=video&tmpl=component&pid=<?php echo $_GET['id']; ?>" title="Image" >

CVE-2016-1000113 SQLi
CVE-2016-1000114 XSS
Google Dork:
inurl:option=com_gallery inurl:id

Exploit Code:
XSS PoC;%3C/script%3E
$ sqlmap -u "*" --dbms mysql

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.