Joomla Component ChronoForms (com_chronocontact) - Blind SQL Injection Vulnerability

vendor:

ChronoForms for Joomla 1.5

by:

_mlk_ (Renan)

7,5

CVSS

HIGH

Blind SQL Injection

CWE

Product Name: ChronoForms for Joomla 1.5

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: all OS

2010

Joomla Component ChronoForms (com_chronocontact) – Blind SQL Injection Vulnerability

A Blind SQL Injection vulnerability was discovered in Joomla Component ChronoForms (com_chronocontact). The vulnerability is triggered when an attacker sends malicious input to the vulnerable parameter 'itemid' in the URL. This can allow an attacker to gain access to sensitive information from the database.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in database queries.

Source

Exploit-DB raw data:

# Exploit Title: Joomla Component ChronoForms (com_chronocontact)
# Date: 01, June 2010
# Author:  _mlk_ (Renan)
# Software Link:0
# Version: 0
# Tested on: all OS
# CVE : 0
# Code : here

Joomla Component ChronoForms (com_chronocontact) - Blind SQL Injection Vulnerability

###################################################################################################################################


   [!] Discovered by : _mlk_ (Renan)

   [!] Teams : c00kies , BugSec , BotecoUnix & c0d3rs

   [!] Homepages :  http://code.google.com/p/bugsec/  <>  http://botecounix.com.br/blog/  <>  http://c0d3rs.wordpress.com/

   [!] Location : Porto Alegre - RS, Brasil
                         (or Brazil)

###################################################################################################################################


      [-] Information

   [?] Script : ChronoForms for Joomla 1.5

   [?] Vendor :  http://www.chronoengine.com/

   [?] Dork/String :  "index.php?option=com_chronocontact" / "com_chronocontact"

   [?] Download : http://www.chronoengine.com/downloads/9-chronoforms.html

   [?] Date :  01, June 2010


###################################################################################################################################


      [*] Example :

         http://localhost/index.php?option=com_chronocontact&itemid=1 [Blind-SQL]
         http://localhost/[PATH]/index.php?option=com_chronocontact&itemid=1 [Blind-SQL]


###################################################################################################################################


    [~] Agradecimentos :

        Deus , Familiares , Amigos e Tricolor Gaúcho (Grêmio) .


###################################################################################################################################