Joomla! com_hdwplayer SQL Injection Vulnerability in search.php

An SQL injection vulnerability has been identified in Joomla! com_hdwplayer version 4.2. The issue resides in the search.php file, where unauthenticated attackers can execute arbitrary SQL queries by injecting malicious code through the hdwplayersearch parameter. Exploitation involves sending POST requests with crafted SQL payloads that can extract sensitive information from the hdwplayer_videos database table.

Impact

Exploitation of this vulnerability allows for arbitrary SQL execution, which could be used to manipulate database queries, potentially leading to unauthorized data access or modification.

Reproduction

To reproduce this vulnerability, send a POST request to 'index.php' with the 'option' parameter set to 'com_hdwplayer', the 'view' parameter set to 'search', and the 'hdwplayersearch' parameter containing the injected SQL payload. The crafted SQL injection will be executed in the context of the database query, allowing extraction of data from the hdwplayer_videos table.