JoomShopping SQL Injection Vulnerability in Joomla Component
Vulnerability
A SQL injection vulnerability has been identified in the JoomShopping component for Joomla, specifically in versions 1.0.0 prior to 1.4.3. This vulnerability allows authenticated administrators to execute arbitrary SQL commands in the country management area of the backend, using the 'ordering' parameter.
Impact
Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations in the application.
Reproduction
To reproduce this vulnerability, navigate to 'JoomShopping' in the Joomla backend, then go to 'Options' and select 'Country list'. Choose a country, such as Afghanistan, and save the request to a file. This request will include the vulnerable 'ordering' parameter. After saving the request, use a tool like sqlmap to exploit the SQL injection by injecting payloads that, for example, extract database information or manipulate database entries.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.