Joomla CKForms Component Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA40127

VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/40127/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=40127

RELEASE DATE:
2010-06-30
DESCRIPTION:
Secunia Research has discovered some vulnerabilities in the CKForms
component for Joomla, which can be exploited by malicious people to
conduct SQL injection attacks and compromise a vulnerable system.

1) Input passed via the "articleid" parameter to index.php (when
"option" is set to "com_ckforms", "view" is set to "ckforms", "task"
is set to "send", and "id" is set to a valid form id) is not properly
sanitised before being used in a SQL query. This can be exploited to
manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation requires that the "Save result" is enabled in
the form's configuration (disabled by default).

2) Input passed via the "sortd" parameter to index.php (when "option"
is set to "com_ckforms", "view" is set to "ckformsdata", "layout" is
set to "data", and "id" is set to "f") is not properly sanitised
before being used in a SQL query. This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code.

3) The "CkformsModelCkforms::saveData()" method in models/ckforms.php
allows uploading of files with arbitrary extensions to a folder inside
the web root. This can be exploited to execute arbitrary PHP code by
uploading a PHP file.

Successful exploitation requires the "fileupload" field to be
configured.

NOTE: The stored file name is based on the original file name and a
time stamp, which is predictable.

The vulnerabilities are confirmed in version 1.3.4. Other versions
may also be affected.

SOLUTION:
Edit the source code to ensure that input is properly sanitised.
Change the "Uploaded files path" setting to a directory outside of
the web root.

PROVIDED AND/OR DISCOVERED BY:
Secunia Research

RECENT ARTICLE

RECENT POST