[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Canteen Joomla Component 1.0 Multiple Remote Vulnerabilities



Canteen Joomla Component 1.0 Multiple Remote Vulnerabilities

 Name              Canteen
 Vendor            http://www.miniwork.eu
 Versions Affected 1.0

 Author            Salvatore Fresta aka Drosophila
 Website           http://www.salvatorefresta.net
 Contact           salvatorefresta [at] gmail [dot] com
 Date              2010-04-07

X. INDEX

 I.    ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.    FIX
 

I. ABOUT THE APPLICATION

Canteen is a Joomla 1.5 component.
This component is written for canteens.  You  can  easily 
manage daily menu with this component.


II. DESCRIPTION

Some parameters are not sanitised  before  being  used in
SQL queries and in danger PHP's functions.


III. ANALYSIS

Summary:

 A) Local File Inclusion
 B) Multiple Blind SQL Injection
 

A) Local File Inclusion

The controller parameter in canteen.php is not  sanitised
before  being  used in the PHP function's require_once().
This allows a guest to include local files. The following
is the affected code:

if($controller = JRequest::getVar('controller')) {
	require_once (JPATH_COMPONENT.DS.'controllers'.DS.$controller.'.php');
}


B) Multiple Blind SQL Injection

The  meailid  parameter  in   menu.php  is  not  properly
before being used in multiple SQL queries.  This  can  be
exploited  to  manipulate  SQL   queries   by   injecting
arbitrary SQL code. The following is the affected code:


$mealid	= JRequest::getVar('mealid');
$SQLQuery = "INSERT INTO #__miniwork_canteen_order  (jo_userid, jo_mealid, jo_created, jo_createdby, jo_changed, jo_changedby)
            VALUES  (".$user->id.", ".$mealid.", NOW(), '".$user->sSecondName." ".$user->sFirstName."', NOW(), '".$user->sSecondName." ".$user->sFirstName."')";
                         
                         
$mealid	= JRequest::getVar('mealid');
$SQLQuery = "DELETE FROM #__miniwork_canteen_order WHERE jo_mealid = ".$mealid." AND jo_userid = ".$orduser->id.";";


$mealid	= JRequest::getVar('mealid');
$SQLQuery = "UPDATE #__miniwork_canteen_order SET jo_userid = ".$orduser->id.", jo_changed=NOW(), jo_changedby='".$orduser->sSecondName." ".$orduser->sFirstName."' WHERE jo_mealid=".$mealid." AND jo_userid is null LIMIT 1;";                         


IV. SAMPLE CODE

A) Local File Inclusion

http://site/path/index.php?option=com_canteen&controller=../../../../../etc/passwd%00


V. FIX

Checking  for  path traversal sequence and useing of  PHP
function's intval() for integer values.