Joomla! Spider Form Maker 'index.php' SQL Injection Vulnerability

Bugtraq ID:	69788
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Sep 12 2014 12:00AM
Updated:	Sep 12 2014 12:00AM
Credit:	Claudio Viviani
Vulnerable:	Web-Dorado Spider Form Maker 4.3
Not Vulnerable:

Joomla! Spider Form Maker 'index.php' SQL Injection Vulnerability

Spider Form Maker for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Spider Form Maker 4.3 and prior are vulnerable.

Joomla! Spider Form Maker 'index.php' SQL Injection Vulnerability

An attacker can exploit this issue using a web browser.

The following example URI is available:

http://www.example.com/index.php?option=com_formmaker&view=formmaker&id=[SQLi]

Joomla! Spider Form Maker 'index.php' SQL Injection Vulnerability

Solution:
Reportedly the issue is fixed, however Symantec has not confirmed this. Please contact the vendor for more information.

Joomla! Spider Form Maker 'index.php' SQL Injection Vulnerability

References:

• Joomla Spider Form Maker Home Page (Web-Dorado)
  
• JVNDB-2015-006463: Directory traversal vulnerability in bitrix.mpbuilder module (Bitrix)