ExploitFixes
JE Messenger 1.0 Arbitrary File Upload Vulnerability 2010-12-09 19:15:09

JE Messenger 1.0 Arbitrary File Upload Vulnerability

Name JE Messenger
Vendor http://joomlaextensions.co.in
Versions Affected 1.0

Author Salvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net
Contact salvatorefresta [at] gmail [dot] com
Date 2010-12-09

X. INDEX

I. ABOUT THE APPLICATION
II. DESCRIPTION
III. ANALYSIS
IV. SAMPLE CODE
V. FIX


I. ABOUT THE APPLICATION
________________________

JE Messenger is a Joomla's component.


II. DESCRIPTION
_______________

A parameter is not properly sanitised before being used
from the native Joomla's upload function.


III. ANALYSIS
_____________

Summary:

A) Arbitrary File Upload


A) Arbitrary File Upload
________________________

A logic error in the save function (compose.php) allows
to a registered user to upload a file with any extension.
The check for a valid file's extension is made after the
upload and in the failure case, the file doesn't removed
from the server. This can be exploited to execute
arbitrary PHP code by uploading a PHP file.

The file's name is different after the upload:

$file['name'] = time().'in'.$file['name'];

Example:

Original file's name: shell.php
Uploaded file's name: 1291907399inshell.php

Where 1291907399 is the value returns from the time()
function.

The file will be uploaded to the following directory:

$dest = JPATH_ROOT.DS.'components/'.$option.'/assets/images/'.$file['name'];

The default destination is:

http://site/path/components/com_jemessenger/assets/images/


IV. SAMPLE CODE
_______________

A) Arbitrary File Upload

1 - Login to target website's Joomla
2 - Go to http://site/path/index.php?option=com_jemessenger&view=compose
3 - Compile a valid form and select an arbitrary file
4 - Go to http://site/path/components/com_jemessenger/assets/images/filename


Try a little bruteforce to find the value returned from
the time() function.


V. FIX
______

No fix.