Full Disclosure mailing list archives
Re: SQL injection in Joomla extension DT Register
From: Elar Lang <elarlang () gmail com>
Date: Sat, 17 Dec 2016 15:44:37 +0200
Update: 2016-12-16: CVE-2016-1000271 assigned by DWF https://security.elarlang.eu/sql-injection-in-joomla-extension-dt-register.html On Tue, Dec 13, 2016 at 10:06 AM, Elar Lang <elarlang () gmail com> wrote:
Title: SQL injection in Joomla extension DT Register Credit: Elar Lang / https://security.elarlang.eu Vulnerability: SQL injection Vulnerable version: before 3.1.12 (Joomla 3.x) / 2.8.18 (Joomla 2.5) CVE: pending Full Disclosure URL: https://security.elarlang.eu/sql-injection-in-joomla-extension-dt-register.html Vendor: DTH Development * Vendor URL: http://www.dthdevelopment.com/ Product: DT Register "Calendar & Event Registration" * Product URL: https://extensions.joomla.org/extension/dt-register * Product URL: http://www.dthdevelopment.com/joomla-components/dt-register-event-registration-for-joomla.html # Background "DT Register is the Joomla Event Registration component that gives you functionality beyond what any other event booking solution can offer" (https://extensions.joomla.org/extension/dt-register) # Vulnerability SQL injection in Joomla extension "DT Register" by DTH Development allows remote unauthenticated attacker to execute arbitrary SQL commands via the cat parameter. # Preconditions No pre-conditions for authentication or authorization. # Proof-of-Concept http://[DOMAIN]/[PATH]/index.php?controller=calendar&format=raw&cat[0]=SQLi&task=events PoC value (shows out all events / it's possible to see valid eventId values): cat[0]=6) OR 1-- - ## Using UNION For reading the data out using UNION it's important to have and to know one valid eventId (detected in previous step). In total there are 112 fields in select query, eventId position is no 13. For output is best to use position 112. Step-by-Step - how to read the data out is available in blog: https://security.elarlang.eu/sql-injection-in-joomla-extension-dt-register.html # Vulnerability Disclosure Timeline Full communication is available in blog: https://security.elarlang.eu/sql-injection-in-joomla-extension-dt-register.html 2016-10-17 | me > DTH | via web form - I would like to report some security holes. What is the correct way for that? 2016-10-18 | me > DTH | any response? 2016-10-25 | me > DTH | mail to dthdev () dthdevelopment com 2016-10-25 | DTH > me | * "you are not in our client list" * "Our site (dthdevelopment.com) is protected by an enterprise grade firewall" 2016-10-25 | me > DTH | I'm whitehat, technical details 2016-10-25 | DTH > me | description, what kind of serious problems I may face 2016-10-25 | me > DTH | explanations 2016-11-02 | me > DTH | hello? 2016-11-11 | me > DTH, SiteLock | Last call. 2016-11-11 | SiteLock / DTH / me | some communication 2016-11-12 | DTH > SiteLock (CC to me) | "It was configured to be open in the setup" 2016-11-15 | DTH | Released DT Register version 3.1.12 (J3.x) / 2.8.18 (J2.5) 2016-12-05 | DTH > me | "Sorry, forgot to respont on this. We closed the problem on our demo site". 2016-12-12 | me | Full Disclosure on security.elarlang.eu 2016-12-13 | me | Full Disclosure on FullDisclosure mailinglist on seclists.org ## asking CVE from DWF (Distributed Weakness Filing Project) / http://iwantacve.org 2016-10-20 | me > DWF | CVE request 2016-10-31 | DWF > me | "CVE - Acceptance of MITRE Terms of Use for CVE Assignment" 2016-10-31 | me > DWF | I accept 2016-11-19 | me > DWF | Any feedback or decision? (still no response) 2016-12-11 | me > DWF | Is there any hope to get feedback? (still no response) As I haven't got any feedback, you can take this post as CVE request. # Fix DT Register version 3.1.12 (J3.x) / 2.8.18 (J2.5). -- Elar Lang Blog @ https://security.elarlang.eu Pentester, lecturer @ http://www.clarifiedsecurity.com
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- SQL injection in Joomla extension DT Register Elar Lang (Dec 13)
- <Possible follow-ups>
- Re: SQL injection in Joomla extension DT Register Elar Lang (Dec 18)