CVE-2018-7315

Vulnerability

The Ek Rishta component version 2.9 for Joomla! is vulnerable to SQL Injection in the /index.php/component/ekrishta/alluser view. The gender, age1, age2, religion, mothertounge, caste, and country parameters are not properly sanitized before being used in SQL queries, allowing an attacker to inject malicious SQL code. [1]

Exploitation

An attacker can send HTTP GET requests to the vulnerable URL with specially crafted parameter values containing SQL injection payloads. The exploit-db entry provides a proof-of-concept URL demonstrating the injection. No authentication is required as the component is accessible. The attacker can use typical SQL injection techniques such as UNION or boolean-based blind injection. [1]

Impact

Successful exploitation allows an attacker to retrieve sensitive information from the database, such as user credentials or other data, potentially leading to full compromise of the Joomla! installation. The injection can also be used to modify or delete data, depending on database permissions. [1]

Mitigation

No official patch or update has been released for Ek Rishta 2.9 as per the available references. Users are advised to disable or remove the component until a fix is available, or implement input validation and parameterized queries manually. [1]