[ TITLE ....... ][ JooDatabase (Joomla component) SQL Injection [ DATE ........ ][ 04.04.2012 [ AUTOHR ...... ][ http://hauntit.blogspot.com [ SOFT LINK ... ][ http:// [ VERSION ..... ][ [ TESTED ON ... ][ LAMP [ ----------------------------------------------------------------------- [ [ 1. What is this? [ 2. What is the type of vulnerability? [ 3. Where is bug :) [ 4. More... [--------------------------------------------[ [ 1. What is this? This is very nice extension for Joomla, You should try it! ;) [--------------------------------------------[ [ 2. What is the type of vulnerability? This is sql injection for authenticated user (for now;) tests in progress...) [--------------------------------------------[ [ 3. Where is bug :) "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(...)' at line 1 SQL=SELECT * FROM qcd3p_joodb AS c WHERE name LIKE '(...)' OR id='(...)' ORDER BY (...) LIMIT 0, (...)" $orderby and many more parameters are vulnerable to sql injection attacks. [--------------------------------------------[ [ 4. More... - http://hauntit.blogspot.com - http://www.google.com - http://portswigger.net [ [--------------------------------------------[ [ All questions about new projects @ mail now :) ] [ Best regards [