Joomla Youtube Gallery 4.1.7 SQL Injection

`# Exploit Title: Joomla component com_youtubegallery - SQL Injection vulnerability  
# Google Dork: inurl:index.php?option=com_youtubegallery  
# Date: 15-07-2014  
# Exploit Author: Pham Van Khanh ([email protected])  
# Vendor Homepage: http://www.joomlaboat.com/youtube-gallery  
# Software Link: http://www.joomlaboat.com/youtube-gallery  
# Version: 4.x ( 3.x maybe)  
# Tested on: newest version 4.1.7 on Joomla 1.5, 2.5, 3  
# CVE : CVE-2014-4960  
  
Detail:  
In line: 40, file: components\com_youtubegallery\models\gallery.php,  
if parameter listid is int (or can cast to int), $listid and $themeid  
will not santinized.  
Source code:  
40: if(JRequest::getInt('listid'))  
41: {  
42: //Shadow Box  
43: $listid=JRequest::getVar('listid');  
44:  
45:  
46: //Get Theme  
47: $m_themeid=(int)JRequest::getVar('mobilethemeid');  
48: if($m_themeid!=0)  
49: {  
50: if(YouTubeGalleryMisc::check_user_agent('mobile'))  
51: $themeid=$m_themeid;  
52: else  
53: $themeid=JRequest::getVar('themeid');  
54: }  
55: else  
56: $themeid=JRequest::getVar('themeid');  
57: }  
After, $themeid and $listid are used in line 86, 92. Two method  
getVideoListTableRow and getThemeTableRow concat string to construct  
sql query. So it is vulnerable to SQL Injection.  
Source code:  
86: if(!$this->misc->getVideoListTableRow($listid))  
87: {  
88: echo '<p>No video found</p>';  
89: return false;  
90: }  
91:  
92: if(!$this->misc->getThemeTableRow($themeid))  
93: {  
94: echo '<p>No video found</p>';  
95: return false;  
96: }  
  
# Site POF: http://server/index.php?option=com_youtubegallery&view=youtubegallery&listid=1&themeid=1'&videoid=ETMVUuFbToQ&tmpl=component&TB_iframe=true&height=500&width=700  
`