SQL injection vulnerability in the submitSurvey function in controller.php in JQuarks4s (com_jquarks4s) component 1.0.0 for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the q parameter in a submitSurvey action to index.php.
Joomla! websites using the vulnerable JQuarks4s component are susceptible to a critical SQL injection vulnerability. Attackers can remotely inject malicious SQL code through a crafted HTTP request, potentially leading to complete database compromise, including sensitive data theft and server takeover. This vulnerability is particularly dangerous when the PHP configuration magic_quotes_gpc is disabled.
Step 1: Payload Delivery: The attacker crafts a malicious HTTP GET or POST request to index.php on the vulnerable Joomla! website. The request targets the submitSurvey action of the com_jquarks4s component.
Step 2: Parameter Injection: The attacker includes a specially crafted SQL injection payload within the q parameter of the request. This payload is designed to execute arbitrary SQL commands.
Step 3: Query Execution: The submitSurvey function in controller.php receives the request and, without proper sanitization, incorporates the attacker-controlled q parameter directly into an SQL query.
Step 4: Database Interaction: The database server executes the injected SQL commands. This could involve reading sensitive data, modifying database contents, or even executing operating system commands if the database server is configured to allow it.
Step 5: Information Disclosure/System Compromise: The attacker leverages the executed SQL commands to achieve their objectives, such as retrieving usernames and passwords, dumping the entire database, or gaining remote code execution.
The vulnerability stems from a lack of proper input validation and sanitization within the submitSurvey function of the controller.php file in the com_jquarks4s component. Specifically, the q parameter, used to submit survey responses, is directly incorporated into an SQL query without being escaped or filtered. When magic_quotes_gpc is disabled, the raw input is passed directly to the database, allowing an attacker to inject malicious SQL commands. The root cause is the absence of parameterized queries or proper escaping mechanisms, leading to a classic SQL injection flaw. The function fails to account for the potential of malicious input, leading to unauthorized database access and manipulation.