extplorer-exec.txt
Posted on 02 March 2009
============================================= INTERNET SECURITY AUDITORS ALERT 2009-002 - Original release date: January 7th, 2009 - Last revised: March 2nd, 2009 - Discovered by: Juan Galiana Lara - Severity: 9/10 (CVSS scored) ============================================= I. VULNERABILITY ------------------------- eXtplorer standalone & Joomla!/Mambo Remote Code Execution vulnerability II. BACKGROUND ------------------------- eXtplorer is a web-based File Management Component for all your needs. It has a desktop-application-like interface with drag&drop, grid and a directory tree and makes heavy use of the ExtJS Javascript Library. It's widely used to access and modify the files and directories on your server via FTP or direct file access. It runs natively under Joomla! 1.5.x, 1.0.x, Mambo component and can also be used as a standalone app. Is based on Quixplorer (available at http://sourceforge.net/projects/quixplorer/). eXtplorer is released under a dual-license: the Mozilla Public License (MPL 1.1) and the GNU General Public License (GNU/GPL). III. DESCRIPTION ------------------------- eXtplorer is prone to a local file include and directory traversal vulnerability because the application fails to sufficiently sanitize user-supplied input. The parameter 'lang' is not properly sanitized. Since the application allows to upload files to the server could be combined with previous vulnerabilities to allow an attacker to view any local file or execute arbitrary code remotely in the context of the webserver. This may aid in launching further attacks. In order to perform the attack, an attacker could upload a PHP maliciuos code (upload action is allowed by the application), then exploit a bug to know the full path to the local file recently uploaded (if 'display_errors' directive is set to On) and then include it exploiting the local file include and directory traversal flaw (using ../../path/to/file) to finally execute the php code. Successfully explotation of this flaw may aid in the compromise of the server in the context of the webserver. The software is affected running standalone or as a Joomla!/Mambo component. IV. PROOF OF CONCEPT ------------------------- The affected code: File: include/init.php Line 100 $GLOBALS["language"] = $mainframe->getUserStateFromRequest( 'language', 'lang', $default_lang ); File: include/init.php Line: 145 // Necessary files require_once( _EXT_PATH."/config/conf.php" ); if( file_exists(_EXT_PATH."/languages/".$GLOBALS["language"].".php")) { require_once( _EXT_PATH."/languages/".$GLOBALS["language"].".php" ); <- HERE } else { require_once( _EXT_PATH."/languages/english.php" ); } if( file_exists(_EXT_PATH."/languages/".$GLOBALS["language"]."_mimes.php")) { require_once( _EXT_PATH."/languages/".$GLOBALS["language"]."_mimes.php" ); <- HERE } else { require_once( _EXT_PATH."/languages/english_mimes.php" ); } the file include/init.php is included in all the request to the application. Here is a poc: PoC: http://site/path/?lang=../../path/to/maliciuos_uploaded_code PoC: http://site/path/?lang=../../../../../etc/passwd%00 The bug can be exploited with or without 'magic_quotes_gpc', but note that if magic_quotes_gpc is set to Off, an attacker can view any file, adding a '