JE Messenger 1.0 Arbitrary File Upload Vulnerability
2010-12-09 19:15:09JE Messenger 1.0 Arbitrary File Upload Vulnerability
Name JE Messenger
Vendor http://joomlaextensions.co.in
Versions Affected 1.0
Author Salvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net
Contact salvatorefresta [at] gmail [dot] com
Date 2010-12-09
X. INDEX
I. ABOUT THE APPLICATION
II. DESCRIPTION
III. ANALYSIS
IV. SAMPLE CODE
V. FIX
I. ABOUT THE APPLICATION
________________________
JE Messenger is a Joomla's component.
II. DESCRIPTION
_______________
A parameter is not properly sanitised before being used
from the native Joomla's upload function.
III. ANALYSIS
_____________
Summary:
A) Arbitrary File Upload
A) Arbitrary File Upload
________________________
A logic error in the save function (compose.php) allows
to a registered user to upload a file with any extension.
The check for a valid file's extension is made after the
upload and in the failure case, the file doesn't removed
from the server. This can be exploited to execute
arbitrary PHP code by uploading a PHP file.
The file's name is different after the upload:
$file['name'] = time().'in'.$file['name'];
Example:
Original file's name: shell.php
Uploaded file's name: 1291907399inshell.php
Where 1291907399 is the value returns from the time()
function.
The file will be uploaded to the following directory:
$dest = JPATH_ROOT.DS.'components/'.$option.'/assets/images/'.$file['name'];
The default destination is:
http://site/path/components/com_jemessenger/assets/images/
IV. SAMPLE CODE
_______________
A) Arbitrary File Upload
1 - Login to target website's Joomla
2 - Go to http://site/path/index.php?option=com_jemessenger&view=compose
3 - Compile a valid form and select an arbitrary file
4 - Go to http://site/path/components/com_jemessenger/assets/images/filename
Try a little bruteforce to find the value returned from
the time() function.
V. FIX
______
No fix.
Fixes
No fixesIn order to submit a new fix you need to be registered.