CVE-2018-17398

Vulnerability

A SQL injection vulnerability exists in the AMGallery component version 1.2.3 for Joomla!. The flaw is present in the filter_category_id parameter, which is not properly sanitized before being used in a SQL query. This allows an attacker to inject arbitrary SQL code through user-supplied input. The vulnerable version is 1.2.3, as confirmed by the exploit reference [1].

Exploitation

The attacker can exploit this vulnerability by sending a crafted HTTP GET request to the target Joomla! site. The exploit requires no authentication, as the vulnerable parameter is accessible from the frontend. By manipulating the filter_category_id parameter with a malicious payload (e.g., URL-encoded UNION SELECT statements), the attacker can retrieve database contents. The exploit script in the reference [1] demonstrates a UNION-based injection that extracts database version and other information. The attack is remote and can be performed without user interaction.

Impact

Successful exploitation leads to information disclosure. An attacker can extract sensitive data from the underlying database, including usernames, passwords, and site configuration details. The exploit payload in [1] retrieves database user, database name, and version. This could lead to full compromise of the Joomla! site if further attacks—such as credential theft or privilege escalation—are executed.

Mitigation

As of the publication date (2019-06-19), no official patch or fixed version has been released for AMGallery 1.2.3. The vendor homepage (http://arenam.ru/) and the Joomla! extensions directory do not provide an update. Users of the vulnerable component should consider removing or disabling AMGallery and monitoring for a security update. No workaround is available [1].