CVE-2018-5984
📋 TL;DR
This is a critical SQL injection vulnerability in the Tumder 2.1 component for Joomla! that allows attackers to execute arbitrary SQL commands via the PATH_INFO parameter in category/ URLs. Attackers can potentially access, modify, or delete database content. All Joomla! installations using the vulnerable Tumder component are affected.
💻 Affected Systems
- Tumder (An Arcade Games Platform) component for Joomla!
📦 What is this software?
Tumder by Tumder Project
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, data destruction, privilege escalation to admin access, and potential remote code execution via database functions.
Likely Case
Database information disclosure, data manipulation, and potential authentication bypass leading to unauthorized access.
If Mitigated
Limited impact with proper input validation and parameterized queries preventing SQL injection.
🎯 Exploit Status
Public exploit code is available and exploitation requires minimal technical skill.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check with component developer for updated version
Vendor Advisory: No official vendor advisory found
Restart Required: No
Instructions:
1. Update to latest version of Tumder component if available. 2. If no update exists, remove or disable the component. 3. Apply Joomla! security updates. 4. Review and sanitize all user inputs.
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rules
allImplement WAF rules to block SQL injection patterns in PATH_INFO parameters
# Example ModSecurity rule: SecRule ARGS "@detectSQLi" "id:1001,phase:2,deny,status:403,msg:'SQL Injection Attempt'"
# Add to .htaccess: RewriteCond %{QUERY_STRING} [^a-zA-Z0-9_=/&?.-]
RewriteRule .* - [F,L]
Disable Vulnerable Component
allTemporarily disable the Tumder component until patched
# Joomla! Admin Panel: Extensions > Manage > Disable Tumder component
# Database: UPDATE `#__extensions` SET `enabled` = 0 WHERE `element` = 'com_tumder'
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries for all database operations
- Deploy a web application firewall with SQL injection detection rules
🔍 How to Verify
Check if Vulnerable:
Check if Tumder component version 2.1 is installed via Joomla! extension manager or database query: SELECT * FROM `#__extensions` WHERE `element` = 'com_tumder'Check Version:
# Joomla! Admin: Extensions > Manage > Search for Tumder
# Database: SELECT manifest_cache FROM `#__extensions` WHERE `element` = 'com_tumder'Verify Fix Applied:
Verify component is updated to patched version or disabled. Test category/ URLs with SQL injection payloads to confirm they're blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in web server logs
- Multiple requests to category/ URLs with SQL syntax in parameters
- Database connection errors or unusual query patterns
Network Indicators:
- HTTP requests containing SQL keywords (SELECT, UNION, etc.) in PATH_INFO
- Abnormal traffic patterns to category endpoints
SIEM Query:
source="web_logs" AND (url="*category/*" AND (query="*SELECT*" OR query="*UNION*" OR query="*OR 1=1*"))