Joomla joomanager SQli Vulnerability

vendor:

Joomanager

by:

Sid3^effects aKa HaRi

7,5

CVSS

HIGH

SQL Injection

89 (SQL Injection)

CWE

Product Name: Joomanager

Affected Version From: 1.1.1

Affected Version To: 1.1.1

Patch Exists: YES

Related CWE: None

CPE: a:joomanager:joomanager

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2010

Joomla joomanager SQli Vulnerability

JooManager enables users to create a real estate website for their clients. An SQL injection vulnerability exists in the 'catid' parameter of the 'view=itemslist' component, which can be exploited to execute arbitrary SQL commands.

Mitigation:

Input validation should be used to prevent SQL injection attacks.

Source

Exploit-DB raw data:

Note from the vendor received 10Mar11:

The old code was using JReguest::GetVar and we change it to JReguest::GetInt so the catid must be an integer only and not text.

We updated this over 6 months ago in version 1.1.1


1               ##########################################             1
0               I'm Sid3^effects member from Inj3ct0r Team             1
1               ##########################################             0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

Name :  Joomla joomanager SQli Vulnerability 
Date : june, 30 2010
Critical Level 	: HIGH
Vendor Url : http://www.joomanager.com/
Author : Sid3^effects aKa HaRi <shell_c99[at]yahoo.com>
special thanks to : r0073r (inj3ct0r.com),L0rd CruSad3r,MaYur,MA1201,KeDar,Sonic,gunslinger_,Sn!pEr.S!Te,n4pst3rr
greetz to :www.topsecure.net ,All ICW members and my friends :) luv y0 guyz 
#######################################################################################################
Description:


JooManager enables you to create a phenomenal real estate website for your clients so they can dominate the listing market!  Today's most successful Realtors have already realized that consumers are using search engines to buy and sell real estate. JoomProperty from its front end display to its extremely user-friendly backend technology, is built to adhere to search engines' best practices.

###############################################################################################################

Xploit: SQLi VUlnerability

 
DEMO URL : http://server/component/joomanager/?view=itemslist&catid=[sqli]

###############################################################################################################
# 0day no more 
# Sid3^effects