0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Joomla Community Builder Enhenced Component LFI/RCE Vulnerability
======================================================================= Joomla Community Builder Enhenced (CBE) Component LFI/RCE Vulnerability ======================================================================= Description: Joomla CBE suffers from a local file inclusion vulnerability. As CBE also offers file uploading functionality that allows to upload files that contain php-code, this can be used to execute arbitary system-commands on the host with the webservers privileges. Risk: High Affected versions: - CBE v1.4.10 - CBE v1.4.9 - CBE v1.4.8 (maybe older versions) Not affaceted: - CBE v1.4.11 (current) Vulnerable code: in cbe.php a file identified by the param "tabname" is included if the "ajaxdirekt" param is set, without sanatizing the value of "tabname" first: -- $ajaxdirekt = JRequest::getVar('ajaxdirekt', null); $tabname = JRequest::getVar('tabname', null); if ($ajaxdirekt) { $tabfile = JPATH_SITE.DS.'components'.DS.'com_cbe'.DS.'enhanced'.DS.$tabname.DS.$tabname.".php"; if (file_exists($tabfile)) { include_once($tabfile); } return; } -- Exploitation / poc: index.php?option=com_cbe&task=userProfile&user=23&ajaxdirekt=true&tabname=../../../CREDITS.php%00 will execute the CREDITS.php Addional attack-vectors: CBE offers a file-upload function for uploading user profile images. The uploaded file is not checked for beeing well-formed, it only needs to have the right mime-type and maybe (depends on profile-picture configuration) the right size, so we can embed php-code in the profile-picture. Lets say we have registered an account on the site with the user-id 23, then we can execute the backdoor by requesting: index.php?option=com_cbe&task=userProfile&user=23&ajaxdirekt=true&tabname=../../../images/cbe/23.gif%00 As we stay in the documents-root, we dont even have to worry about safe-mode directory restrictions, and using GIFs will bypass most of CBE's image pre-processing functions during file upload (except file- and image-size checks). Solutions: a) check if the contents of an uploaded file contains a php open-tag ('<?php') (requires that the php-short-open-tag option is disabled) b) Joomla offers several functions for accessing POST and GET params, i guess using getWord() instead of getVar() would be a better choice in this case. History: 04.10.2010 - vendor informed 07.10.2010 - vendor released fixed version 08.10.2010 - public disclosure Cheers Delf Tonder # 0day.today [2024-12-24] #