Joomla com_niceajaxpoll <= 1.3.0 SQL Injection Vulnerability

[DarkyAngel]

Title : Joomla com_niceajaxpoll <= 1.3.0 SQL Injection Vulnerability

Author : Patrick de Brouwer - @knickz0r

Dork : inurl:"/index.php?option=com_niceajaxpoll"

 
+ -- --=[ 0x01 - Software description

Nice Ajax Poll is a component for the Joomla! CMS which all-
ows users to vote on certain questions or statements.

+ -- --=[ 0x02 - Vulnerability description

There is a SQL Injection vulnerability that can be called f-
rom within the website to perform the SQL Injection attack.

+ -- --=[ 0x03 - Impact

The impact of this vulnerability should be rated as critical
as it is possible to access the database and therefore retr-
eive user information such as usernames, passwords and other
data. When abused, hackers could gain access to the adminis-
trative interface of Joomla.

+ -- --=[ 0x04 - Affected versions

As of the source code, the version containint this vulnerab-
ility was version 1.3.0. It was not proven that the vulnera-
bility does not exist in newer or earlier versions. Therfore
the vulnerability is considered available  in versions below
1.3.0.

+ -- --=[ 0x05 - Vendor contact trail

Contact has not been made with the author. Author will rece-
ive a copy of the vulnerability disclosure.

+ -- --=[ 0x06 - Proof of Concept (PoC)

In:

  /components/com_niceajaxpoll/views/niceajaxpoll/tmpl/default.php

there is a call to:

  index.php?option=com_niceajaxpoll&getpliseid="+id,

which is located on line 32.  In practice this vulnerability
has been verified by exploiting the following:

/index.php?option=com_niceajaxpoll&getpliseid=1 OR 1=1
                                              ,-------
                                              '- SQLi

Sursa