Jump to content
dRuNNNk

Joomla com_jinc (newsid) Blind SQL Injection Vulnerability

By dRuNNNk, in Exploituri

Recommended Posts

dRuNNNk Newbie

dRuNNNk

Posted
Posted 
---------------------------------------------------------------------------------
joomla component com_jinc (newsid) Blind SQL Injection Vulnerability
---------------------------------------------------------------------------------

Author          : Chip D3 Bi0s
Group           : LatiHackTeam
Email           : chipdebios[alt+64]gmail.com
Date            : 21 September 2009
Critical Lvl    : Moderate
Impact	        : Exposure of sensitive information
Where	        : From Remote
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application     : JINC (Joomla! Integrated Newsletters Component)
version         : 0.2
Developer       : lhacky
License         : GPL            type  : Non-Commercial
Date Added      : 2 September 2009
Demo            : http://www.lhacky.org/jextensions/index.php?option=com_content&view=article&id=18:how-to-use&catid=12:jinc-documentation&Itemid=28

Download        : http://www.lhacky.org/jextensions/index.php?option=com_content&view=article&id=3&Itemid=15

Description     :

JINC (Joomla! Integrated Newsletters Component) is a easy-to-use and administer newsletter component for Joomla!.
Using JINC your website users can auto-subscribe and unsubscribe to newsletters you defined.

JINC includes classical newsletter functionalities

* Newsletter, messages and subscription management.
* TAG substitution inside the messages body.
* User auto-registration with welcome message at subscription time.
* Newsletter Disclaimer.
* HTML and Text Plain messages.
* Massive or personalized messages.
* Reports on message sending.
* Subscription creating user "on the fly".
* Message preview to message creator before sending to the newsletter subscribers


---------------------------------------------------------------------------


I.Blind SQL injection (newsid) Poc/Exploit:
~~~~~~~~~
http://127.0.0.1/[path]/index.php?option=com_jinc&view=messages&newsid=1[blind]


To make, you must be registered

+++++++++++++++++++++++++++++++++++++++
[!] Produced in South America
+++++++++++++++++++++++++++++++++++++++

# milw0rm.com [2009-09-21]

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...