SECUNIA ADVISORY ID:
Customer Area (Credentials Required)
Secunia Research has discovered some vulnerabilities in the CKForms
component for Joomla, which can be exploited by malicious people to
conduct SQL injection attacks and compromise a vulnerable system.
1) Input passed via the "articleid" parameter to index.php (when
"option" is set to "com_ckforms", "view" is set to "ckforms", "task"
is set to "send", and "id" is set to a valid form id) is not properly
sanitised before being used in a SQL query. This can be exploited to
manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation requires that the "Save result" is enabled in
the form's configuration (disabled by default).
2) Input passed via the "sortd" parameter to index.php (when "option"
is set to "com_ckforms", "view" is set to "ckformsdata", "layout" is
set to "data", and "id" is set to "f") is not properly sanitised
before being used in a SQL query. This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code.
3) The "CkformsModelCkforms::saveData()" method in models/ckforms.php
allows uploading of files with arbitrary extensions to a folder inside
the web root. This can be exploited to execute arbitrary PHP code by
uploading a PHP file.
Successful exploitation requires the "fileupload" field to be
NOTE: The stored file name is based on the original file name and a
time stamp, which is predictable.
The vulnerabilities are confirmed in version 1.3.4. Other versions
may also be affected.
Edit the source code to ensure that input is properly sanitised.
Change the "Uploaded files path" setting to a directory outside of
the web root.
PROVIDED AND/OR DISCOVERED BY: