Re: Joomla 1.5.21 | Potential SQL Injection Flaws

["Thor (Hammer of God)" <thor () hammerofgod com>]

P.S.  You don't sanitize input on your "Subscribe for Updates" post before sending it to Feedburner.   You know, the 
one located in "http://yehg.net/lab/#home"; across from your "XSS attack demo on Joomla!" log update.  
It's trivial to generate "Trouble at the mill! FeedBurner encountered some kind of error performing the task or 
displaying the page you requested. Fear not, this event has notified the appropriate people within FeedBurner and we 
will have this all ironed out soon."

I'm  sure there are people on the list here that can help you with that.

t



-----Original Message-----
From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of 
Thor (Hammer of God)
Sent: Sunday, October 31, 2010 1:35 PM
To: full-disclosure () lists grok org uk; bugtraq () securityfocus com; bugs () securitytracker com; vuln () secunia 
com; secalert () securityreason com; news () securiteam com; vuln () security nnov ru
Subject: Re: [Full-disclosure] Joomla 1.5.21 | Potential SQL Injection Flaws

According to your site, you want "to entice young Burmese people into ethical hacking" and "raise students' interest in 
security/hacking in an ethical manner," yet you "disclosed these flaws in order for someone who can exploit these flaws 
to the next maximum level"? 

Douche. 

t



-----Original Message-----
From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of 
YGN Ethical Hacker Group
Sent: Sunday, October 31, 2010 12:19 PM
To: full-disclosure () lists grok org uk; bugtraq () securityfocus com; bugs () securitytracker com; vuln () secunia 
com; secalert () securityreason com; news () securiteam com; vuln () security nnov ru
Subject: [Full-disclosure] Joomla 1.5.21 | Potential SQL Injection Flaws

1. VULNERABILITY DESCRIPTION


Potential SQL Injection Flaws were detected Joomla! CMS version 1.5.20. These flaws were reported along with our Cross 
Scripting Flaw which was fixed in 1.5.21. Developers believed that our reported SQL Injection flaws are not fully 
exploitable because of Joomla! built-in string filters and were not fixed in 1.5.21 which is currently the latest 
version.

As a result, we disclosed these flaws  in order for someone who can exploit these flaws to the next maximum level.


2. PROOF-OF-CONCEPT/EXPLOIT

http://yehg.net/lab/pr0js/advisories/joomla/core/1.5.21/sql_injection/sqli_(filter_order)_front.jpg
http://yehg.net/lab/pr0js/advisories/joomla/core/1.5.21/sql_injection/sqli_%28filter_order_Dir%29_front.jpg
http://yehg.net/lab/pr0js/advisories/joomla/core/1.5.21/sql_injection/sqli_%28filter_order_Dir%29_back.jpg


3. DISCLOSURE TIME-LINE


2010-10-06  : Notified Joomla! Security Strike Team
2010-11-01  : Vulnerability disclosed


4. VENDOR

Joomla! Developer Team
http://www.joomla.org
http://www.joomla.org/download.html

________________________________________________________

# YGN Ethical Hacker Group
# http://yehg.net
# 2010-11-1

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/