[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Reflected XSS and SQLi in Huge IT Joomla Slider v1.0.9 extension
From: "Larry W. Cashdollar" <larry0 () me ! com>
Date: 2016-07-28 17:58:08
Message-ID: 9F8556B6-3B55-4BFF-898A-92B084238AB6 () me ! com
[Download RAW message or body]
Title: Reflected XSS and SQLi in Huge IT Joomla Slider v1.0.9 extension
Author: Larry W. Cashdollar, @_larry0
Date: 2016-07-22
Download Site: http://extensions.joomla.org/extensions/extension/photos-a-images/slider
Vendor: huge-it.com
Vendor Notified: 2016-07-22
Vendor Contact:
Description: Huge-IT Slider extension is one of the powerful products that our company offer. \
It gives style and charm to your site and help to attract the attention of visitors to certain \
parts of the content. Vulnerability:
The attacker must be logged in with at least manager level access or access to the \
administrative panel to exploit this vulnerability.
XSS in ./admin/views/slider/tmpl/default.php via id variable:
275: <a class="modal" rel="{handler: 'iframe', size: {x: 800, y: 500}}" \
href="index.php?option=com_slider&view=video&tmpl=component&pid=<?php echo $_GET['id']; ?>" \
title="Video" >
SQL Injection in the following sections of code:
in file ./admin/models/slider.php
53: $id_cat = JRequest::getVar('id');
54- $query = $db->getQuery(true);
55- $query->select('#__huge_itslider_images.name as name,'
56- . '#__huge_itslider_images.id ,'
57- . '#__huge_itslider_sliders.name as portName,'
58- . 'slider_id, #__huge_itslider_images.description as \
description,image_url,sl_url,sl_type,link_target,#__huge_itslider_images.ordering,#__huge_itslider_images.published,published_in_sl_width');
--
69: $id_cat = JRequest::getVar('id');
70- $query = $db->getQuery(true);
71- $query->select('*');
72- $query->from('#__huge_itslider_images');
73- $query->where('slider_id=' . $id_cat);
74- $db->setQuery($query);
--
117: $id_cat = JRequest::getVar('id');
118-
119- $query = $db->getQuery(true);
120- $query->update('#__huge_itslider_sliders')->set('name ="' . $name . '"')
121- ->set('sl_height="' . $sl_height . '"')->set('slider_list_effects_s="' . \
$slider_effects_list . '"') 122- ->set('pause_on_hover="' . $pause_on_hover . \
'"')
--
133: $id_cat = JRequest::getVar('id');
134- $query = $db->getQuery(true);
135- $query->update('#__huge_itslider_sliders')->set('slider_list_effects_s ="' . \
$styleName . '"')->where('id="' . $id_cat . '"'); 136- $db->setQuery($query);
137- $db->execute();
138- }
--
182: $id_cat = JRequest::getVar('removeslide');
183: $id = JRequest::getVar('id');
184- $db = JFactory::getDBO();
185- $query = $db->getQuery(true);
186- $query->delete('#__huge_itslider_images')->where('id =' . $id_cat);
187- $db->setQuery($query);
188- $db->execute();
CVE-2016-1000121 XSS
CVE-2016-1000122 SQLi
Exploit Code:
• XSS:
•
• http://192.168.0.125/administrator/index.php?option=com_slider&view=slider&id=1%20--%20%22%3E%3Cscript%3Ealert(1);%3C/script%3E
•
• SQLi:
•
• http://192.168.0.125/administrator/index.php?option=com_slider&view=slider&id=HERE
Advisory: http://www.vapidlabs.com/advisory.php?v=168=
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic