Joomla! Spielothek Component Multiple SQL Injection Vulnerabilities

SECUNIA ADVISORY ID:
SA40831

VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/40831/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=40831

RELEASE DATE:
2010-08-02
DESCRIPTION:
Salvatore Fresta has discovered some vulnerabilities in the
Spielothek component for Joomla!, which can be exploited by malicious
people to conduct SQL injection attacks.

1) Input passed via the "bid" parameter to index.php (when "option"
is set to "com_spielothek" and "task" is set to "savebattle") is not
properly sanitised before being used in SQL queries in
models/battle.php. This can be exploited to manipulate SQL queries by
injecting arbitrary SQL code.

2) Input passed via the "bid" parameter to index.php (when "option"
is set to "com_spielothek", "view" is set to "battle", and "wtbattle"
is set to "play") is not properly sanitised before being used in SQL
queries in views/battle/view.html.php. This can be exploited to
manipulate SQL queries by injecting arbitrary SQL code.

3) Input passed via the "loeschen" parameter to index.php (when
"option" is set to "com_spielothek", "view" is set to "battle", 
"wtbattle" is set to "ddbdelete", and "dbtable" is set to "vS") is
not properly sanitised before being used in SQL queries in
models/battle.php. This can be exploited to manipulate SQL queries by
injecting arbitrary SQL code.

The vulnerabilities are confirmed in version 1.6.9. Other versions
may also be affected.

SOLUTION:
Edit the source code to ensure that input is properly sanitised.

PROVIDED AND/OR DISCOVERED BY:
Salvatore Fresta aka Drosophila