Joomla! Component com_formmaker 3.4 - SQL Injection

EDB-ID:

34637

CVE:





Platform:

PHP

Date:

2014-09-12


######################

# Exploit Title : Joomla Spider Form Maker <= 3.4 SQL Injection

# Exploit Author : Claudio Viviani

# Vendor Homepage : http://web-dorado.com/

# Software Link : http://web-dorado.com/products/joomla-form.html

# Dork Google: inurl:com_formmaker
                   

# Date : 2014-09-07

# Tested on : Windows 7 / Mozilla Firefox
#             Linux / Mozilla Firefox

######################

# PoC Exploit:

http://localhost/index.php?option=com_formmaker&view=formmaker&id=[SQLi]


"id" variable is not sanitized.


######################

# Vulnerability Disclosure Timeline:

2014-09-07:  Discovered vulnerability
2014-09-09:  Vendor Notification
2014-09-10:  Vendor Response/Feedback
2014-09-10:  Vendor Fix/Patch
2014-09-10:  Public Disclosure

#####################

Discovered By : Claudio Viviani
                http://www.homelab.it
		
                info@homelab.it
                homelabit@protonmail.ch

                https://www.facebook.com/homelabit
                https://twitter.com/homelabit
                https://plus.google.com/+HomelabIt1/
                https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

#####################