0 - Multiple

EDB-ID: 13737 CVE: 2010-5043 OSVDB-ID: 65187
Author: d0lc3 Published: 2010-06-06 Verified: Verified
Exploit Code:   Download Vulnerable App:   N/A


Prev Home Next
#Exploit Title:		Joomla Component com_djartgallery Multiple Vulnerabilities

#Date:			04/06/2010 

#Author:		Tomasz Kowalski

#Software Link:		http://www.design-joomla.eu/downloads/download/components/dj-artgallery.html

#Version:		0.9.1

#Tested on:		Linux ubuntu32 2.6.32-22-generic x64

[+] Cross Site Scripting on administrator/components/com_djartgallery/views/editimage/tmpl/default.php:

	We can fond this code on line 183:
	<input type="hidden" name="id" value="<?php echo JRequest::getVar('id'); ?>" />
	<input type="hidden" name="option" value="com_djartgallery" />
	<input type="hidden" name="task" value="editImage" />

	You must see it }x) 	

	<input type="hidden" name="id" value="<?php echo JRequest::getVar('id'); ?>" />

	Method to exploit this could be next code injection:

[+]Blind SQL Injection

	Also we can extract it databases information through Blind SQL Injection, on same parameter, how to we will see on next code:
administrator/components/com_djartgallery/controller.php, line 382:

	$link = 'index.php?option=com_djartgallery&task=com_djartgallery&task=editItem&cid[]='.JRequest::getVar('id');

	To exploit it:

	Field 'Select Article' its changed when reply its true/false; but too its likely that run UNION injection:


by r0i  by r0i  by r0i  by r0i  by r0i  by r0i  by r0i  by r0i  by r0i  by r0i  by r0i  by r0i