[webapps / 0day] - JE Messenger 1.0 Arbitrary File Upload Vu
Posted on 09 December 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>JE Messenger 1.0 Arbitrary File Upload Vulnerability | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='JE Messenger 1.0 Arbitrary File Upload Vulnerability by Salvatore Fresta in webapps / 0day | Inj3ct0r 1337 - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_setDomainName", "none"]);_gaq.push(["_setAllowLinker", true]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>==================================================== JE Messenger 1.0 Arbitrary File Upload Vulnerability ==================================================== JE Messenger 1.0 Arbitrary File Upload Vulnerability Name JE Messenger Vendor http://joomlaextensions.co.in Versions Affected 1.0 Author Salvatore Fresta aka Drosophila Website http://www.salvatorefresta.net Contact salvatorefresta [at] gmail [dot] com Date 2010-12-09 X. INDEX I. ABOUT THE APPLICATION II. DESCRIPTION III. ANALYSIS IV. SAMPLE CODE V. FIX I. ABOUT THE APPLICATION ________________________ JE Messenger is a Joomla's component. II. DESCRIPTION _______________ A parameter is not properly sanitised before being used from the native Joomla's upload function. III. ANALYSIS _____________ Summary: A) Arbitrary File Upload A) Arbitrary File Upload ________________________ A logic error in the save function (compose.php) allows to a registered user to upload a file with any extension. The check for a valid file's extension is made after the upload and in the failure case, the file doesn't removed from the server. This can be exploited to execute arbitrary PHP code by uploading a PHP file. The file's name is different after the upload: $file['name'] = time().'in'.$file['name']; Example: Original file's name: shell.php Uploaded file's name: 1291907399inshell.php Where 1291907399 is the value returns from the time() function. The file will be uploaded to the following directory: $dest = JPATH_ROOT.DS.'components/'.$option.'/assets/images/'.$file['name']; The default destination is: http://site/path/components/com_jemessenger/assets/images/ IV. SAMPLE CODE _______________ A) Arbitrary File Upload 1 - Login to target website's Joomla 2 - Go to http://site/path/index.php?option=com_jemessenger&view=compose 3 - Compile a valid form and select an arbitrary file 4 - Go to http://site/path/components/com_jemessenger/assets/images/filename Try a little bruteforce to find the value returned from the time() function. V. FIX ______ No fix. # <a href='http://1337db.com/'>1337db.com</a> [2010-12-09]</pre></body></html>
