From the url which is taken as exploit:http://server/path/index.php?option=com
... es&Itemid=[SQL Injection]
I cannot find any not protected Itemid section in Phoca Gallery:
- line 155 - JRequest::getVar('Itemid', 0, '', 'int') - protected by integer
:: there is no controller for this view
:: model does not include any itemid request
$currentItemId = JRequest::getVar('Itemid', 0, '', 'int');
return JRequest::getVar('Itemid', 0, '', 'int');
are protected by integer.
So for now I see no place where the exploit can be used.
I will do more tests (but I looked at the whole categories view, route helper file and all the libraries).