Joomla com_niceajaxpoll 1.3.0 SQL Injection Vulnerability

Joomla com_niceajaxpoll eklentisinde bulunan SQL injection açığı yayınlanadı. Bu açık sayesinde diğer SQL injection açıklarında olduğu gibi, Tablolar çekilebilmekte, kullanıcı ve yönetici hashlarına ulaşılabilmekte, bunlar kırılarak admin paneline erişim imkanı bulunmaktadır. Bu eklentide çok fazla olmasada, bu eklentiyi kullananlar bir an önce üst versiyona güncellemeli, güncellemesi yoksa güncellene kadar eklentiyi devre dışı bırakmalıdırlar.

###########################################################

Title    : Joomla com_niceajaxpoll <= 1.3.0 SQL Injection Vulnerability

# Author   : Patrick de Brouwer – @knickz0r

#            NLSecurity         – www.nlsecurity.org

#

# Dork     : inurl:”/index.php?option=com_niceajaxpoll”

#

# Software : Joomla component Nice Ajax Poll <= 1.3.0

#            http://dmitry.dn.ua/my-projects/304-nice-ajax-poll.html

#

# Vendor   : Dima Kuprijanov

#

# Date     : 2012-07-31

#

############################################################

+ — –=[ 0x01 – Software description

 Nice Ajax Poll is a component for the Joomla! CMS which all-

ows users to vote on certain questions or statements.

 + — –=[ 0x02 – Vulnerability description

 There is a SQL Injection vulnerability that can be called f-

rom within the website to perform the SQL Injection attack.

 + — –=[ 0x03 – Impact

The impact of this vulnerability should be rated as critical

as it is possible to access the database and therefore retr-

eive user information such as usernames, passwords and other

data. When abused, hackers could gain access to the adminis-

trative interface of Joomla.

 + — –=[ 0x04 – Affected versions

As of the source code, the version containint this vulnerab-

ility was version 1.3.0. It was not proven that the vulnera-

bility does not exist in newer or earlier versions. Therfore

the vulnerability is considered available  in versions below

1.3.0.

+ — –=[ 0x05 – Vendor contact trail

Contact has not been made with the author. Author will rece-

ive a copy of the vulnerability disclosure.

+ — –=[ 0x06 – Proof of Concept (PoC)

 In:

/components/com_niceajaxpoll/views/niceajaxpoll/tmpl/default.php

there is a call to:

index.php?option=com_niceajaxpoll&getpliseid=”+id,

which is located on line 32.  In practice this vulnerability

has been verified by exploiting the following:

/index.php?option=com_niceajaxpoll&getpliseid=1 OR 1=1

                                              ,——-

                                              ‘- SQLi

Bir cevap yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir