Joomla Spider Form Maker <= 4.3 - SQLInjection

2014-09-24 10:48:51

######################

# Exploit Title : Joomla Spider Form Maker <= 4.3 SQLInjection

# Exploit Author : Claudio Viviani

# Vendor Homepage : http://web-dorado.com/

# Software Link : http://web-dorado.com/products/joomla-form.html

# Dork Google: inurl:com_formmaker


# Date : 2014-09-07

# Tested on : Windows 7 / Mozilla Firefox
# Linux / Mozilla Firefox

######################

# PoC Exploit:

http://localhost/index.php?option=com_formmaker&view=formmaker&id=[SQLi]


"id" variable is not sanitized.


######################

# Vulnerability Disclosure Timeline:

2014-09-07: Discovered vulnerability
2014-09-09: Vendor Notification
2014-09-10: Vendor Response/Feedback
2014-09-10: Vendor Fix/Patch
2014-09-10: Public Disclosure

#####################

Discovered By : Claudio Viviani
http://www.homelab.it

[email protected]
[email protected]

https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

#####################

Fixes

No fixes

In order to submit a new fix you need to be registered.