- 28 May 2008Advisories » Joomla BibTeX Component "afilter" Parameter Handling Remote SQL Injection Vulnerability
| Release Date: | 24/08/2007 | Severity: | Moderately Critical  |
| SecWatch Advisory: | SWID1018824 | Cause: | Input validation error |
| Solution Status: | Unpatched | Impact: | SQL Injection |
| Exploit Status: | None Available | Access Vector: | From remote |
| Affected Software: | BibTeX 1.x (component for Joomla) | ||
| References: | http://milw0rm.com/exploits/4310 |
||
Description:
An input validation vulnerability in BibTeX component for Joomla has been reported, which can be exploited by remote users to conduct SQL injection attacks.
User-supplied input passed to the "afilter" parameter in the /index.php script is not correctly sanitised before being used in a SQL query. This can be exploited by a specially crafted parameter value to execute arbitrary SQL commands on the underlying database.
Affected:
Joomla BibTeX component version 1.3. Other versions may also be affected.
Solution:
There was no vendor-supplied solution at the time of entry.
Edit source code manually to ensure user-supplied input is correctly sanitised.
Filter malicious characters and character sequences via a HTTP proxy or firewall with URL filtering capabilities.
Credits:
Free Vulnerability Notification Service
Receive free instant and customisable notifications of new vulnerabilities or exploits via e-mail, web or RSS feeds. Click here for more information.