CVE-2018-25433

An unauthenticated attacker can exploit this vulnerability by sending a crafted GET request to `index.php` within the `com_jephotogallery` component. The malicious payload is injected into the `categoryid` parameter. This allows the attacker to execute arbitrary SQL queries against the database, potentially extracting sensitive information. The exploit targets the `fetchimage` task to achieve this.

The vulnerability lies within the `com_jephotogallery` component of Joomla!, specifically when handling the `categoryid` parameter in the `fetchimage` task. The exploit code demonstrates constructing a URL that targets `index.php` with the `tmpl=component&option=com_jephotogallery&view=category&task=fetchimage&categoryid=` parameters, indicating the injection point.

The provided reference write-up does not include information about a patch or specific remediation steps. Therefore, the advisory does not specify how the vulnerability is fixed. Users are advised to consult the vendor for updated versions or security patches.

1. Set up Joomla! Component JE Photo Gallery 1.1. 2. Send a GET request to `index.php` with the `com_jephotogallery` component and a crafted `categoryid` parameter containing SQL injection payload, for example: `http://[TARGET]/[PATH]/index.php?tmpl=component&option=com_jephotogallery&view=category&task=fetchimage&categoryid=-29 UNION SELECT (SELECT username,password FROM jos_users),0,0,0,0,0,0,0,0,NULL,0,0-- -`