Hi,
There are several sql injections in Mambo 4.6 RC2 & Joomla 1.0.10 (and maybe
other versions) :
[The codes are from Mambo 4.6 RC2 & some may be different in Joomla]

*) When a user edits a content, the "id" parameter is not checked properly
in /components/com_content/content.php, which can cause 2 sql injections .

*) The "limit" parameter in the administration section is not checked. This
affects many pages of administration section :

File /administrator/modules/mod_logged.php, Line 45 :
:: $query = "SELECT *"
:: . "\n FROM #__session"
:: . "\n WHERE userid != 0"
:: . $_and
:: . "\n ORDER BY usertype, username"
>> . "\n LIMIT $pageNav->limitstart, $pageNav->limit"
:: ;

Also :
File /administrator/components/com_content/admin.content.php, Line 212 :
::   . "\n LIMIT $pageNav->limitstart,$pageNav->limit"

And many others .

*) In the administration section, while editing/creating a user, the "gid"
parameter is not checked properly :

File /administrator/components/com_users/admin.users.php, Line 260 :
::   $query = "SELECT name"
::   . "\n FROM #__core_acl_aro_groups"
>>   . "\n WHERE group_id = $row->gid"

And the second injection :
File /includes/gacl_api.class.php, Line 675 :
:: $this->db->setQuery( '
::   SELECT    g.group_id,o.'. $group_type .'_id,gm.group_id AS member
::   FROM    '. $object_table .' o
>>   LEFT JOIN  '. $group_table .' g ON g.group_id='. $group_id .'
::   LEFT JOIN  '. $table .' gm ON (gm.group_id=g.group_id AND gm.'. $group_type .'_id=o.'. $group_type .'_id)
::   WHERE    (o.section_value=\''. $this->db->getEscaped($object_section_value) .'\' AND o.value=\''. $this->db->getEscaped($object_value) .'\')'
:: );

And the third :
File /includes/gacl_api.class.php, Line 704 :
:: $this->db->setQuery( 'INSERT INTO '. $table .' (group_id,'. $group_type .'_id) VALUES ('. $group_id .','. $object_id .')' );


The original and complete advisory (in Persian), is located at :
http://www.hackers.ir/advisories/mambo-joomla.html


- Omid