[VIM] Joomla! Projects 'com_projects' Component SQL Injection and Local File Include Vulnerabilities
George A. Theall
theall at tenable.com
Wed Oct 27 08:11:55 CDT 2010
So BID 44456 covers a couple of issues reported by jos_ali_joe,
presumably from the blog post at <http://josalijoe.wordpress.com/2010/10/27/joomla-component-com_projects-lfi-sql-vulnerability/
>.
SecurityFocus says one of the issue is a local file inclusion
involving the 'tabla' parameter to the 'agregar_info.php' script, and
indeed jos_ali_joe includes that. The PoC, though, appears to be
taken nearly verbatim from JosS' advisory about GradMan from 2008 -- http://www.securityfocus.com/archive/1/486444
-- and appears in a section of the blog post that starts:
[+] Exploit: LFI
=
=
=
=
=
=
=
=
=
=
=
=
========================================================================
http://localhost/index.php?option=com_projects&controller=[ LFI ]
=
=
=
=
=
=
=
=
=
=
=
=
========================================================================
I'm not clear if this is a cut-and-paste error or there are two
separate issues at play. It might help if I could find the supposedly
affected component, but I failed to turn up any info about it,
including from CodeGravity's web site.
Has anyone else looked into this yet?
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list