CVE-2015-7338 - SQL Injection in AcyMailing Joomla Component
1. Vulnerability Properties
- Title: SQL Injection in AcyMailing Joomla Component
- CVE ID: CVE-2015-7338
- CVSSv3 Base Score: 6.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L)
- Vendor: Acyba
- Products: AcyMailing
- Advisory Release Date: 28 October 2015
- Advisory URL: https://labs.integrity.pt/advisories/cve-2015-7338
- Credits: Discovery by Fábio Pires <fp[at]integrity.pt>, Filipe Reis <fr[at]integrity.pt>, Vitor Oliveira <vo[at]integrity.pt>
2. Vulnerability Summary
AcyMailing component is vulnerable to SQL Injection on export controller, inside the backoffice.
3. Technical Details
To replicate the issue go to:
Joomla > Components > AcyMailing > Users > Export (and make the export)
Then grab the request from the export and modify it by adding the two missing parameters:
- exportdatageoloc[geolocation_longitude]=test&exportgeolocorder=’
Note: The array position from explortdatageoloc must be an existing column from acymailing_geolocation table.
With this we get the following response (as you can see on the response we broke the SQL query):
Now we inject with our SQL query into the parameter exportgeolocorder.
And we get the response with the proof.
4. Vulnerable Versions
- AcyMailing (4.9.4).
5. Solution
- Upgrade to AcyMailing 4.9.5 or latest.
6. Vulnerability Timeline
- September 01, 2015 — Bug reported to Acyba
- September 02, 2015 — Acyba team acknowledges the vulnerability
- October 14, 2015 — Acyba team releases a new version
- October 28, 2015 — Public disclosure