[webapps / 0day] - JomSocial 1.8.8 Shell Upload Vulnerabilit
Posted on 30 September 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>JomSocial 1.8.8 Shell Upload Vulnerability | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Date: 30 Sep 2010 | Exploit category: webapps / 0day | Exploit author: Jeff Channell | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>========================================== JomSocial 1.8.8 Shell Upload Vulnerability ========================================== There is a file upload vulnerability in version 1.8.8 and earlier of JomSocial, the popular community extension for Joomla!. Successful exploitation of this exploit requires the site to be configured to allow users to upload video files directly, which is disabled by default. If this feature is enabled, any file uploaded via the "add video" upload form will end up in http://[victim]/images/originalvideos/[your account's user id]/[unique file name]. This folder is not protected with an index, so if indexes are allowed retrieving the shell's filename is trivial. Listed on the JomSocial Changelog as "BUG: 4495" <http://www.jomsocial.com/docs/Change_Log#Version_1.8.9> Timeline * Vulnerabilities Discovered: 26 September 2010 * Vendor Notified: 27 September 2010 * Vendor Response: 27 September 2010 * Update Available: 28 September 2010 * Disclosure: 30 September 2010 http://jeffchannell.com/Joomla/jomsocial-188-shell-upload-vulnerability.html # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-30]</pre></body></html>
