Note from the vendor received 10Mar11:
The old code was using JReguest::GetVar and we change it to JReguest::GetInt so the catid must be an integer only and not text.
We updated this over 6 months ago in version 1.1.1
1 ########################################## 1
0 I'm Sid3^effects member from Inj3ct0r Team 1
1 ########################################## 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
Name : Joomla joomanager SQli Vulnerability
Date : june, 30 2010
Critical Level : HIGH
Vendor Url : http://www.joomanager.com/
Author : Sid3^effects aKa HaRi <shell_c99[at]yahoo.com>
special thanks to : r0073r (inj3ct0r.com),L0rd CruSad3r,MaYur,MA1201,KeDar,Sonic,gunslinger_,Sn!pEr.S!Te,n4pst3rr
greetz to :www.topsecure.net ,All ICW members and my friends :) luv y0 guyz
#######################################################################################################
Description:
JooManager enables you to create a phenomenal real estate website for your clients so they can dominate the listing market! Today's most successful Realtors have already realized that consumers are using search engines to buy and sell real estate. JoomProperty from its front end display to its extremely user-friendly backend technology, is built to adhere to search engines' best practices.
###############################################################################################################
Xploit: SQLi VUlnerability
DEMO URL : http://server/component/joomanager/?view=itemslist&catid=[sqli]
###############################################################################################################
# 0day no more
# Sid3^effects
