- Create an event and click on Save.
- Get the request and change the parameter evid to a value > 0 (this should be the future id of the event. If this is the first time creating the event 1 should be the value to insert).
- Note: Check if the parameter updaterepeats is 1, if not change it to 1.
With this we get the following response (as you can see on the response we broke the SQL query):
This corresponds on the code to: /joomla/administration/com_jevents/controllers/icalevent.php
Now we inject with our SQL query into the parameter evid:
And we get the response with the proof.
4. Vulnerable Versions
- Upgrade to JEvents 3.4.0 RC6 or latest version
6. Vulnerability Timeline
- September 01, 2015 — Bug reported to JEvents
- September 01, 2015 — JEvents team acknowledges the vulnerability
- September 02, 2015 — JEvents team releases a new version
- October 28, 2015 — Public disclosure