Re: joomlacontenteditor (com_jce) BLIND sql injection vulnerabil
This alert is bunk. There is no mention of "Itemid" in relation to =
database operations in the entire source code of com_jce, which there =
would need to be for blind sql injection.
The behaviour of the Itemid parameter in Joomla is complex and I won't =
go into all the details here. Suffice it to say that manipulating the =
Itemid to alternative valid Itemid values can change the content of the =
page, and changing to an invalid Itemid (such as a negative number) is =
equivalent to setting it to 0.
There is no SQL injection at play here, at least with core Joomla and =
the com_jce editor. Other 3rd-party extensions may vary.
Stephen Brandon
metamodpro.com
On 9 Apr 2011, at 04:28, eidelweiss@windowslive.com wrote:
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> joomlacontenteditor (com_jce) BLIND sql injection vulnerability
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>=20
> Software: joomlacontenteditor (com_jce)
> Vendor: www.joomlacontenteditor.net
> Vuln Type: BLind SQL Injection
> Download link: =
http://www.joomlacontenteditor.net/downloads/editor/joomla15x/category/joo=
mla-15-2 (check here)
> Author: eidelweiss
> contact: eidelweiss[at]windowslive[dot]com
> Home: www.eidelweiss.info
> Dork: inurl:"/index.php?option=3Dcom_jce"
>=20
>=20
> References: =
http://eidelweiss-advisories.blogspot.com/2011/04/joomlacontenteditor-comj=
ce-blind-sql.html
>=20
>=20
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>=20
> Description:
>=20
> JCE makes creating and editing Joomla!=AE=20
> content easy Add a set of tools to your Joomla!=AE environment that =
give you the power to create the kind of content you want,
> without limitations, and without needing to know or learn HTML, XHTML, =
CSS...=20
>=20
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>=20
> exploit & p0c
>=20
> [!] index.php?option=3Dcom_jce&Itemid=3D[valid Itemid]
>=20
> Example p0c
>=20
> [!] http://host/index.php?option=3Dcom_jce&Itemid=3D8 <=3D True
> [!] http://host/index.php?option=3Dcom_jce&Itemid=3D-8 <=3D False
>=20
>=20
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>=20
> Nothing Impossible In This World Even Nobody`s Perfect
>=20
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D