'[oss-security] Reflected XSS and SQLi in Huge IT Joomla Slider v1.0.9 extension'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Reflected XSS and SQLi in Huge IT Joomla Slider v1.0.9 extension
From:       "Larry W. Cashdollar" <larry0 () me ! com>
Date:       2016-07-28 17:58:08
Message-ID: 9F8556B6-3B55-4BFF-898A-92B084238AB6 () me ! com
[Download RAW message or body]

Title: Reflected XSS and SQLi in Huge IT Joomla Slider v1.0.9 extension
Author: Larry W. Cashdollar, @_larry0
Date: 2016-07-22
Download Site: http://extensions.joomla.org/extensions/extension/photos-a-images/slider
Vendor: huge-it.com
Vendor Notified: 2016-07-22
Vendor Contact:
Description: Huge-IT Slider extension is one of the powerful products that our company offer. \
It gives style and charm to your site and help to attract the attention of visitors to certain \
parts of the content. Vulnerability:
The attacker must be logged in with at least manager level access or access to the \
administrative panel to exploit this vulnerability.

XSS in ./admin/views/slider/tmpl/default.php via id variable:
275:                    <a class="modal" rel="{handler: 'iframe', size: {x: 800, y: 500}}" \
href="index.php?option=com_slider&view=video&tmpl=component&pid=<?php echo $_GET['id']; ?>" \
title="Video" >

SQL Injection in the following sections of code:

in file ./admin/models/slider.php
53:        $id_cat = JRequest::getVar('id');
54-        $query = $db->getQuery(true);
55-        $query->select('#__huge_itslider_images.name as name,'
56-                . '#__huge_itslider_images.id ,'
57-                . '#__huge_itslider_sliders.name as portName,'
58-                . 'slider_id, #__huge_itslider_images.description as \
description,image_url,sl_url,sl_type,link_target,#__huge_itslider_images.ordering,#__huge_itslider_images.published,published_in_sl_width');
                
--
69:        $id_cat = JRequest::getVar('id');
70-        $query = $db->getQuery(true);
71-        $query->select('*');
72-        $query->from('#__huge_itslider_images');
73-        $query->where('slider_id=' . $id_cat);
74-        $db->setQuery($query);
--
117:        $id_cat = JRequest::getVar('id');
118-
119-        $query = $db->getQuery(true);
120-        $query->update('#__huge_itslider_sliders')->set('name ="' . $name . '"')
121-                ->set('sl_height="' . $sl_height . '"')->set('slider_list_effects_s="' . \
$slider_effects_list . '"') 122-                ->set('pause_on_hover="' . $pause_on_hover . \
                '"')
--
133:        $id_cat = JRequest::getVar('id');
134-        $query = $db->getQuery(true);
135-        $query->update('#__huge_itslider_sliders')->set('slider_list_effects_s ="' . \
$styleName . '"')->where('id="' . $id_cat . '"'); 136-        $db->setQuery($query);
137-        $db->execute();
138-    }
--
182:        $id_cat = JRequest::getVar('removeslide');
183:        $id = JRequest::getVar('id');
184-        $db = JFactory::getDBO();
185-        $query = $db->getQuery(true);
186-        $query->delete('#__huge_itslider_images')->where('id =' . $id_cat);
187-        $db->setQuery($query);
188-        $db->execute();

CVE-2016-1000121 XSS
CVE-2016-1000122 SQLi
Exploit Code:
	• XSS:
	•  
	• http://192.168.0.125/administrator/index.php?option=com_slider&view=slider&id=1%20--%20%22%3E%3Cscript%3Ealert(1);%3C/script%3E
  •  
	• SQLi:
	•  
	• http://192.168.0.125/administrator/index.php?option=com_slider&view=slider&id=HERE
Advisory: http://www.vapidlabs.com/advisory.php?v=168=


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic