Blind SQL Injection in Joomla! com_virtuemart <= v1.1.7

One more time Joomla provide us a new vulnerability in one of thier component. This time the vulnerability exists in VirtueMart which is an Open Source E-Commerce solution that can be used together with a Joomla Content Management System (CMS).

Steven Seeley & Rocco Calvi from startsec detected the possibility of Blind SQL injection in VirtueMart that can lead to fully control the webserver. by looking at lines 255-270 of the ‘com_virtuemart/classes/ps_module.php’ page contain the ‘get_dir()’ function which parses the ‘$modulename’ variable as ‘$basename’ and performs an SQL query directly on the variable without any sanitisation. Below contains the vulnerable function implementing the SQL statement:

[php]function get_dir($basename) {
$datab = new ps_DB;

$results = array();

$q = &quot;SELECT module_perms FROM #__{vm}_module where module_name=’&quot;.$basename.&quot;’&quot;;
$datab-&amp;gt;query($q);

if ($datab-&amp;gt;next_record()) {
$results[ ‘perms’ ] = $datab-&amp;gt;f(&quot;module_perms&quot;);
return $results;
}
else {
return false;
}
}[/php]

The second problem is on the last line of the ‘com_virtuemart/virtuemart_parser.php’ page the code conducts a permission check on a page when the variable ‘option’ is parsed as ‘com_virtuemart’. The ‘$page’ variable is set to global during the initialisation of the ‘virtuemart_parser.php’ page. Once the ‘$page’ variable is set to a value, then ‘checkModulePermissions()’ is called:

[php]if( $option == &quot;com_virtuemart&quot; ) {
if (empty($page)) {// default page
if (defined(‘_VM_IS_BACKEND’)) {
$page = &quot;store.index&quot;;
{
else {
$page = HOMEPAGE;
}
}
// Let’s check if the user is allowed to view the page
// if not, $page is set to ERROR_PAGE
$pagePermissionsOK = $ps_module-&gt;checkModulePermissions( $page );[/php]

To find vulnerable webserver attacker can use google hack method and just search for (inurl:”?option=com_virtuemart”) to find about 46 million results that uses VirtueMart, but to exploit this vulnerability there are some limitation :

  1. When an attacker executes SQL Injection attacks, sometimes the server responds with error messages from the database server complaining that the SQL Query’s syntax is incorrect, While on Blind SQL Injection attacker will get a generic page specified by the webmaster.
  2. Second problem that Joomla’s core codebase filters requests containing comparison operators ‘<’ or ‘>’ but we can still exploit the vulnerability through the use of the ‘=’ operator and this can increase the number of requests on Webserver log.
  3. The third point and since we cannot get error information from database attacker can use time delay technique and True or False questions through SQL statements.
  • If the version is MySQL 4, it will time delay for a period of 30 seconds:

http://[target]/[path]/index.php?option=com_virtuemart&page=-1’+union+select+if(substring(@@version,1,1)=4,benchmark(30000000,MD5(‘x’)),null)–+fakemodule.fakepag

  • If the version is MySQL 5, it will time delay for a period of 30 seconds:

http://[target]/[path]/index.php?option=com_virtuemart&page=-1’+union+select+if(substring(@@version,1,1)=5,benchmark(30000000,MD5(‘x’)),nul
l)–+fakemodule.fakepag

If you are using Joomla with VirtueMart you need to update your version to 1.1.8 or install patch provided by VirtueMart http://dev.virtuemart.net/attachments/202/PatchVirtueMart-1.1.7a.zip.

Share