Filipe Reis

Filipe Reis

Pentester, Security Researcher, Bug Hunter and Organizer of BSidesLisbon

CVE-2015-7342 - Multiple SQL Injection in JNews Joomla Component

1 minute read

1. Vulnerability Properties

  • Title: Multiple SQL Injection in JNews Joomla Component
  • CVE ID: CVE-2015-7342
  • CVSSv3 Base Score: 6.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L)
  • Vendor: Joobi
  • Products: JNews Core(8.3.1)
  • Advisory Release Date: 28 October 2015
  • Advisory URL: https://labs.integrity.pt/advisories/cve-2015-7342
  • Credits: Discovery by Fábio Pires <fp[at]integrity.pt>, Filipe Reis <fr[at]integrity.pt>, Vitor Oliveira <vo[at]integrity.pt>

2. Vulnerability Summary

JNews component is vulnerable to Multiple SQL Injection, inside the backoffice.

3. Technical Details

#1 – SQL Injection (error based):

To replicate the issue go to:

Administration > Components > JNews > Templates > > upload thumbnail

image1

  • Upload a thumbnail and grab the request and inject into the filename parameter.

image2

With this we get the following response (as you can see on the response we broke the SQL query):

image3

Now we inject with our SQL query into the parameter filename:

image4

And we get the response with the proof.

image5

#2 – SQL Injection (error based):

To replicate the issue go to:

Administration > Components > JNews > Queue > Search Field

image6

Do a search and grab the request, the injection point is the parameter mailingsearch:

image7

With this we get the following response (as you can see on the response we broke the SQL query):

image8

Now we inject with our SQL query into the parameter mailingsearch:

image9

And we get the response with the proof.

image10

#3 – SQL Injection (error based):

To replicate the issue go to:

Administration > Components > JNews > Subscribers > Search Field
Administration > Components > JNews > Newsletters > Search Field

image11

Do a search and grab the request, the injection point is the parameter emailsearch:

image12

With this we get the following response (as you can see on the response we broke the SQL query):

image13

Now we inject with our SQL query into the parameter emailsearch:

image14

And we get the response with the proof.

image15

4. Vulnerable Versions

  • JNews 8.3.1

5. Solution

  • Update to JNews 8.5.0 or latest.

6. Vulnerability Timeline

  • September 01, 2015 — Bug reported to Joobi
  • September 02, 2015 — Joobi team acknowledges the vulnerability
  • September 20, 2015 — Joobi team releases a new version
  • October 28, 2015 — Public disclosure

7. References

Categories:

Updated: