QContacts 1.0.6 (Joomla component) SQL injection

vendor:

QContacts

by:

Don (BalcanCrew & BalcanHack)

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: QContacts

Affected Version From: 1.0.6

Affected Version To: 1.0.6

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Apache

2011

QContacts 1.0.6 (Joomla component) SQL injection

This vulnerability affects /index.php, where an attacker can inject malicious SQL code into the 'filter_order' parameter of the /index.php?option=com_qcontacts?=catid=0&filter_order=[SQLi]&filter_order_Dir=&option=com_qcontacts URL.

Mitigation:

Filter metacharacters from user input.

Source

Exploit-DB raw data:

############################################################################
# Exploit Title: *QContacts 1.0.6 (Joomla component) SQL injection*
# Google Dork: inurl:"/components/com_qcontacts/"
# Date: Decembar/08/2011
# Author: Don (BalcanCrew & BalcanHack)
# Software Link: *
http://www.latenight-coding.com/joomla-addons/qcontacts.html*
# Version: 1.0.6
# Tested on: Apache
############################################################################

Vulnerability:
This vulnerability affects /index.php

*
/index.php?option=com_qcontacts?=catid=0&filter_order=[SQLi]&filter_order_Dir=&option=com_qcontacts
*


How to fix this vulnerability:
*Filter metacharacters from user input.*

*~Don 2011*