J2Store v3.1.6, a Joomla! extension that adds basic store functionality to
a Joomla! instance, suffered from two unauthenticated boolean-blind and
error-based SQL injection vulnerabilities. Since February 2015, J2Store has
had about 16,000 downloads as of this writing.


The first vulnerability was in the sortby parameter within a request made
while searching for products.

POST /index.php HTTP/1.1
Host: 192.168.1.3
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0)
Gecko/20100101 Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 124

search=&sortby=product_name+DESC&option=com_j2store&view=products&task=browse&Itemid=115



The second vulnerability was in an advanced search multipart form request,
within the manufacturer_ids parameters.

POST /index.php HTTP/1.1
Host: 192.168.1.3
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0)
Gecko/20100101 Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: multipart/form-data;
boundary=---------------------------69182815810793866481457026727
Content-Length: 1023

-----------------------------69182815810793866481457026727
Content-Disposition: form-data; name="pricefrom"

0
-----------------------------69182815810793866481457026727
Content-Disposition: form-data; name="priceto"

521
-----------------------------69182815810793866481457026727
Content-Disposition: form-data; name="manufacturer_ids[]"

1
-----------------------------69182815810793866481457026727
Content-Disposition: form-data; name="option"

com_j2store
-----------------------------69182815810793866481457026727
Content-Disposition: form-data; name="view"

products
-----------------------------69182815810793866481457026727
Content-Disposition: form-data; name="task"

browse
-----------------------------69182815810793866481457026727
Content-Disposition: form-data; name="Itemid"

115
-----------------------------69182815810793866481457026727
Content-Disposition: form-data; name="9d0a4b9d6d4b46fc51d25844b91c2057"

1
-----------------------------69182815810793866481457026727--


A Metasploit scanner module and two auxiliary modules are available on the
ExploitHub store which will help you find and validate any vulnerable
instances. A PCAP is included with each module.

Free Metasploit scanner module:
https://exploithub.com/j2store-3-1-6-sql-injection-scanner.html

Metasploit User/Password Enumeration auxiliary module:
https://exploithub.com/j2store-3-1-6-user-password-enumeration-via-sql-injection.html

Metasploit Arbitrary File Read auxiliary module:
https://exploithub.com/j2store-3-1-6-arbitrary-file-read-via-sql-injection.html


Timeline
July 7 2015: Reported to vendor
July 7 2015: Vendor response asking for details
July 7 2015: Details sent
July 7 2015: Vendor sends email saying the vulnerabilities were fixed and a
new version will be out soon
July 8 2015: Version 3.1.7 released, advisory released with modules

-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website