Please view the original advisory/exploit here.
The Joomla component com_restaurantguide suffers from multiple vulnerabilities.
>> SQL Injection
(id parameter is vulnerable)
>> HTML/JS/VBS Code Injection (all input fields, also in the admin backend)
It is possible to inject HTML/JS/VBS code into the document although XSS filters are active. Simply end the current HTML tag and convert your code into decimal HTMl code without semicolons:
(which is “>injected)
The code doesn’t get parsed, so it is not possible to exploit this weakness. However, including arbitrary plain text into the current website is possible. Dangerous! 😀
>> Interesting stuff
a) Triggering various error messages in the admin panel is possible, e.g.:
administrator/index.php?option=com_restaurantguide&controller=restaurantitems&task=edit&cid=[try ‘ or -1 or an ID which does not exist]
Sometimes the code of the component gets displayed within the browser window when you try to trigger errors with different variables.
b) Playing around with the controller variable
(NOT a LFI vulnerability since the controller classes are defined in the source code, you just get different error messages.. nothing to exploit here..)