Joomla DJ-ArtGallery Component "cid[]" Two Vulnerabilities

SECUNIA ADVISORY ID:
SA40073

VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/40073/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=40073

RELEASE DATE:
2010-06-07
DESCRIPTION:
Two vulnerabilities have been discovered in the DJ-ArtGallery
component for Joomla, which can be exploited by malicious users to
conduct SQL injection attacks and by malicious people to conduct
cross-site scripting attacks.

1) Input passed via the "cid[]" parameter to administrator/index.php
(when "option" is set to "com_djartgallery" and "task" is set to
"editItem") is not properly sanitised before being used in a SQL
query in models/edititem.php. This can be exploited to manipulate SQL
queries by injecting arbitrary SQL code.

Successful exploitation requires "Public Back-end" permissions.

2) Input passed to the "cid[]" parameter in administrator/index.php
(when "option" is set to "com_djartgallery" and "task" is set to
"editItem") is not properly sanitised before being returned to the
user in views/edititem/tmpl/default.php. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in
context of an affected site.

The vulnerability is confirmed in version 0.9.1. Other versions may
also be affected.

SOLUTION:
Edit the source code to ensure that input is properly sanitised.

PROVIDED AND/OR DISCOVERED BY:
d0lc3