Joomla JE Ajax event calendar SQL Vulnerable

vendor:

JE Ajax event calendar

by:

L0rd CrusAd3r aka VSN

8,8

CVSS

HIGH

SQL Vulnerability

CWE

Product Name: JE Ajax event calendar

Affected Version From: 1.0.5

Affected Version To: 1.0.5

Patch Exists: Yes

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

Joomla JE Ajax event calendar SQL Vulnerable

The Joomla JE Ajax event calendar component has a SQL vulnerability which allows an attacker to inject malicious SQL queries into the application. The vulnerability is present in the 'view' parameter of the component, which can be exploited to execute arbitrary SQL commands. The attacker can use this vulnerability to gain access to sensitive information stored in the database, such as user credentials and other confidential data.

Mitigation:

The vendor should patch the vulnerability by properly validating user input and sanitizing the 'view' parameter.

Source

Exploit-DB raw data:

Exploit Title:Joomla JE Ajax event calendar SQL Vulnerable 
Version:1.0.5
Author: L0rd CrusAd3r aka VSN [crusader_hmg@yahoo.com]
Published: 2010-06-23
Greetz to:r0073r (inj3ct0r.com), Sid3^effects, MaYur, MA1201, Sonic Bluehat.
Special Greetz: Topsecure.net, inj3ct0r Team
Shoutzz:- To all ICW members.
~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~
Description:

100% MVC structure follow. There are three different managers in that
component:-

1. Category Management
2. Event Management
3. Event Setting

1. Category Management: - Admin can add, edit, delete, published and unpublished the category title and description.

2. Event Management: - Admin can add, edit, delete, published and unpublished the event. Event title, category, start date, end date, description, background color and text color add, edit and delete, published, unpublished from the event management.
Admin has rights that all users or selected user or none can see the event from front end.
Admin can add event to selected category.

3. Setting: - Admin can enable or disable all the events which user can add the event or not.
Admin can set the header1, header2, header3, header4 color using color picker.

Features:-

- Add event to particular category
- Set the calendar color using color picker.
- Admin has rights to add event from site side.
- Admin has rights that all users see the event or selected user can see the events.
- Front end side user can see the event description in light box by click on that event.
~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~

Vulnerability:

*SQL Vulnerability

DEMO URL :

http://server/component/jeeventcalendar/?view=[Sqli]

# 0day n0 m0re #
# L0rd CrusAd3r #