Hi,
There are several sql injections in Mambo 4.6 RC2 & Joomla 1.0.10 (and maybe
other versions) :
[The codes are from Mambo 4.6 RC2 & some may be different in Joomla]
*) When a user edits a content, the "id" parameter is not checked properly
in /components/com_content/content.php, which can cause 2 sql injections .
*) The "limit" parameter in the administration section is not checked. This
affects many pages of administration section :
File /administrator/modules/mod_logged.php, Line 45 :
:: $query = "SELECT *"
:: . "\n FROM #__session"
:: . "\n WHERE userid != 0"
:: . $_and
:: . "\n ORDER BY usertype, username"
>> . "\n LIMIT $pageNav->limitstart, $pageNav->limit"
:: ;
Also :
File /administrator/components/com_content/admin.content.php, Line 212 :
:: . "\n LIMIT $pageNav->limitstart,$pageNav->limit"
And many others .
*) In the administration section, while editing/creating a user, the "gid"
parameter is not checked properly :
File /administrator/components/com_users/admin.users.php, Line 260 :
:: $query = "SELECT name"
:: . "\n FROM #__core_acl_aro_groups"
>> . "\n WHERE group_id = $row->gid"
And the second injection :
File /includes/gacl_api.class.php, Line 675 :
:: $this->db->setQuery( '
:: SELECT g.group_id,o.'. $group_type .'_id,gm.group_id AS member
:: FROM '. $object_table .' o
>> LEFT JOIN '. $group_table .' g ON g.group_id='. $group_id .'
:: LEFT JOIN '. $table .' gm ON (gm.group_id=g.group_id AND gm.'. $group_type .'_id=o.'. $group_type .'_id)
:: WHERE (o.section_value=\''. $this->db->getEscaped($object_section_value) .'\' AND o.value=\''. $this->db->getEscaped($object_value) .'\')'
:: );
And the third :
File /includes/gacl_api.class.php, Line 704 :
:: $this->db->setQuery( 'INSERT INTO '. $table .' (group_id,'. $group_type .'_id) VALUES ('. $group_id .','. $object_id .')' );
The original and complete advisory (in Persian), is located at :
http://www.hackers.ir/advisories/mambo-joomla.html
- Omid
