Joomla Community Builder Enhenced CBE Component LFI/RCE Vulnerability

ID EDB-ID:15222
Type exploitdb
Reporter Delf Tonder
Modified 2010-10-09T00:00:00


Joomla Community Builder Enhenced (CBE) Component LFI/RCE Vulnerability. CVE-2010-5280. Webapps exploit for php platform

Joomla CBE suffers from a local file inclusion vulnerability. As CBE 
also offers file uploading functionality that allows to upload files 
that contain php-code, this can be used to execute arbitary 
system-commands on the host with the webservers privileges.


Affected versions:
- CBE v1.4.10
- CBE v1.4.9
- CBE v1.4.8
(maybe older versions)

Not affaceted:
- CBE v1.4.11 (current)

Vulnerable code:
in cbe.php a file identified by the param "tabname" is included if the 
"ajaxdirekt" param is set, without sanatizing the value of "tabname" first:
$ajaxdirekt    = JRequest::getVar('ajaxdirekt', null);
     $tabname = JRequest::getVar('tabname', null);

     if ($ajaxdirekt) {
         $tabfile = 
         if (file_exists($tabfile)) {

Exploitation / poc:

will execute the CREDITS.php

Addional attack-vectors:
CBE offers a file-upload function for uploading user profile images. The 
uploaded file is not checked for beeing well-formed, it only needs to 
have the right mime-type and maybe (depends on profile-picture 
configuration) the right size, so we can embed php-code in the 
profile-picture. Lets say we have registered an account on the site with 
the user-id 23, then we can execute the backdoor by requesting:


As we stay in the documents-root, we dont even have to worry about 
safe-mode directory restrictions, and using GIFs will bypass most of 
CBE's image pre-processing functions during file upload (except file- 
and image-size checks).

a) check if the contents of an uploaded file contains a php open-tag 
('<?php') (requires that the php-short-open-tag option is disabled)
b) Joomla offers several functions for accessing POST and GET params, i 
guess using getWord() instead of getVar() would be a better choice in 
this case.

04.10.2010 - vendor informed
07.10.2010 - vendor released fixed version
08.10.2010 - public disclosure

Delf Tonder