Joomla jesectionfinder LFI Vulnerability

vendor:

jesectionfinder

by:

Sid3^effects aKa HaRi

9,3

CVSS

HIGH

LFI

CWE

Product Name: jesectionfinder

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

Joomla jesectionfinder LFI Vulnerability

This component for web-based business that specialises in buying and selling sections nationwide. User can add their section/property into particular listing option. Listing option manages from the backend. User selects their plan (Listing option) and enters property detail (with images). After use see that preview and make it payment. If user makes it payment successfully than it display automating otherwise their listing not published. User searches property and contact seller for more detail. The exploit is a Local File Inclusion vulnerability which allows an attacker to read arbitrary files on the server. The exploit is triggered by sending a specially crafted HTTP request to the vulnerable server, containing the malicious payload in the 'view' parameter.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in file operations. Also, ensure that the web server is configured to deny access to sensitive files and directories.

Source

Exploit-DB raw data:

Name : Joomla jesectionfinder LFI Vulnerability
Date : june, 26 2010
Critical Level     : HIGH
Vendor Url : http://joomlaextensions.co.in/component/awd_song/
Google Dork: inurl:/component/jesectionfinder/
Price:$25.00
Author : Sid3^effects aKa HaRi <shell_c99[at]yahoo.com>
special thanks to : r0073r (inj3ct0r.com),L0rd CruSad3r,MaYur,MA1201,KeDar,Sonic,gunslinger_
greetz to :www.topsecure.net ,All ICW members and my friends :) luv y0 guyz
#######################################################################################################
Description:
This component for web-based business that specialises in buying and selling sections nationwide. Our aim is easy to connect the seller of

land directly to the buyer, its simple.

Easy to handle that component functionallity.

User can add your section/property into particular listing option. Listing option manages from the backend. User selects his plan (Listing

option) and enters property detail (with images).  After use see that preview and make it payment.  If user makes it payment successfully

than it display automating otherwise his listing not published.
User searches property and contact seller for more detail.


#######################################################################################################
Xploit:jesectionfinder LFI


DEMO URL : http://server/propertyfinder/component/jesectionfinder/?view=[LFI]

###########################################################################