Joomla! Component Zap Calendar Lite 4.3.4 SQL Injection

An unauthenticated attacker sends a crafted GET request to the RSVP plugin endpoint, injecting SQL commands through the `eid` parameter [ref_id=1]. The payload uses obfuscation techniques such as `/*!00000sELeCT*/` to bypass simple filters and leverages `AND`, `CONCAT`, `RAND`, and `GROUP BY` to extract database names and table structures via error-based or conditional responses. The attack requires no authentication and is performed over HTTP.

The SQL injection occurs in the Joomla! Zap Calendar Lite component version 4.3.4, specifically in the RSVP plugin endpoint accessed via `index.php?option=com_zcalendar&view=plugin&name=rsvp&task=rsvpform`. The `eid` parameter is passed unsanitized into SQL queries, allowing injection of arbitrary SQL commands.

The advisory does not include a patch diff or vendor fix. Remediation would require parameterizing the `eid` value in the SQL query or applying proper input validation and escaping within the RSVP plugin's database interaction code. Without a published fix, users should disable or remove the component until a patched version is released.

Send a GET request to `http://localhost/[PATH]/index.php?option=com_zcalendar&view=plugin&name=rsvp&task=rsvpform&user=&eid=[SQL]` where `[SQL]` is a crafted injection payload such as `1++aND(/*!00000sELeCT*/+0x30783331+/*!00000FrOM*/+(/*!00000SeLeCT*/+cOUNT(*),/*!00000CoNCaT*/((sELEcT(sELECT+/*!00000CoNCAt*/(cAST(dATABASE()+aS+cHAR),0x7e,0x496873616E53656e63616e))+fROM+iNFORMATION_sCHEMA.tABLES+wHERE+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(rAND(0)*2))x+fROM+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a)&format=raw` [ref_id=1].