145516 – www-apps/mambo SQL injection

Bug 145516 - www-apps/mambo SQL injection

Summary: www-apps/mambo SQL injection

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High trivial (vote)
Assignee:	Gentoo Security

URL:	http://www.securityfocus.com/archive/...
Whiteboard:	~3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2006-08-29 12:28 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified:	2006-09-12 01:14 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-08-29 12:28:36 UTC

Hi,
 There are several sql injections in Mambo 4.6 RC2 & Joomla 1.0.10 (and maybe
 other versions) :
 [The codes are from Mambo 4.6 RC2 & some may be different in Joomla]
 
 *) When a user edits a content, the "id" parameter is not checked properly
 in /components/com_content/content.php, which can cause 2 sql injections .
 
 *) The "limit" parameter in the administration section is not checked. This
 affects many pages of administration section :
 
 File /administrator/modules/mod_logged.php, Line 45 :
 :: $query = "SELECT *"
 :: . "\n FROM #__session"
 :: . "\n WHERE userid != 0"
 :: . $_and
 :: . "\n ORDER BY usertype, username"
 >> . "\n LIMIT $pageNav->limitstart, $pageNav->limit"
 :: ;
 
 Also :
 File /administrator/components/com_content/admin.content.php, Line 212 :
 :: . "\n LIMIT $pageNav->limitstart,$pageNav->limit"
 
 And many others .
 
 *) In the administration section, while editing/creating a user, the "gid"
 parameter is not checked properly :
 
 File /administrator/components/com_users/admin.users.php, Line 260 :
 :: $query = "SELECT name"
 :: . "\n FROM #__core_acl_aro_groups"
 >> . "\n WHERE group_id = $row->gid"
 
 And the second injection :
 File /includes/gacl_api.class.php, Line 675 :
 :: $this->db->setQuery( '
 :: SELECT g.group_id,o.'. $group_type .'_id,gm.group_id AS member
 :: FROM '. $object_table .' o
 >> LEFT JOIN '. $group_table .' g ON g.group_id='. $group_id .'
 :: LEFT JOIN '. $table .' gm ON (gm.group_id=g.group_id AND gm.'. $group_type .'_id=o.'. $group_type .'_id)
 :: WHERE (o.section_value=\''. $this->db->getEscaped($object_section_value) .'\' AND o.value=\''. $this->db->getEscaped($object_value) .'\')'
 :: );
 
 And the third :
 File /includes/gacl_api.class.php, Line 704 :
 :: $this->db->setQuery( 'INSERT INTO '. $table .' (group_id,'. $group_type .'_id) VALUES ('. $group_id .','. $object_id .')' );
 
 The original and complete advisory (in Persian), is located at :
 http://www.hackers.ir/advisories/mambo-joomla.html
 
 - Omid

Comment 1 Thierry Carrez (RETIRED) gentoo-dev

2006-09-02 01:50:04 UTC

Bump to Joomla 1.0.11 and future Mambo 4.6 Release is required.

Comment 2 Renat Lumpau (RETIRED) gentoo-dev

2006-09-02 11:51:14 UTC

joomla done

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-09-03 09:54:53 UTC

Removing Joomla from Summary as it is handled on bug #145481.

Comment 4 Renat Lumpau (RETIRED) gentoo-dev

2006-09-11 20:50:52 UTC

-r2 in CVS

Comment 5 Matthias Geerdsen (RETIRED) gentoo-dev

2006-09-12 01:14:34 UTC

closing without GLSA (~arch)

thanks Renat