CVE-2008-6050

An unauthenticated remote attacker sends an HTTP GET request to `index.php` with `option=com_tech_article`, `Itemid=17`, and `task=item`, injecting SQL syntax into the `item` parameter [ref_id=1]. The application fails to neutralize special characters in this parameter, allowing the attacker to break out of the intended SQL query context and append a UNION SELECT statement [CWE-89]. The example payload uses `-1 union select 0,concat(username,0x3a,password),0,0,0,0,0,0,0 from jos_users--` to extract credentials from the Joomla! users table [ref_id=1]. No authentication or special privileges are required.

The vulnerable component is the Tech Articles (com_tech_article) 1.0 for Joomla!. The `item` parameter in `index.php` is passed directly into SQL queries without sanitization when the `option=com_tech_article` and `task=item` parameters are supplied [ref_id=1].

No patch is included in the bundle. The advisory does not provide remediation guidance beyond the exploit disclosure [ref_id=1]. To fix this vulnerability, the application must properly escape or parameterize the `item` parameter value before including it in SQL queries, or use prepared statements to prevent SQL injection [CWE-89].

1. Identify a Joomla! site running the Tech Articles (com_tech_article) component version 1.0. 2. Send a GET request to: `http://target/index.php?option=com_tech_article&Itemid=17&item=-1+union+select+0,concat(username,0x3a,password),0,0,0,0,0,0,0+from+jos_users--&task=item` [ref_id=1]. 3. The response will include the concatenated username and password hash from the `jos_users` table in the result set.