JomSocial 1.8.8 Shell Upload Vulnerability

vendor:

JomSocial

by:

Jeff Channell

7,5

CVSS

HIGH

File Upload Vulnerability

434

CWE

Product Name: JomSocial

Affected Version From: 1.8.8

Affected Version To: 1.8.8

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Joomla!

2010

JomSocial 1.8.8 Shell Upload Vulnerability

Successful exploitation of this exploit requires the site to be configured to allow users to upload video files directly, which is disabled by default. If this feature is enabled, any file uploaded via the "add video" upload form will end up in http://[victim]/images/originalvideos/[your account's user id]/[unique file name]. This folder is not protected with an index, so if indexes are allowed retrieving the shell's filename is trivial.

Mitigation:

Disable the feature that allows users to upload video files directly.

Source

Exploit-DB raw data:

There is a file upload vulnerability in version 1.8.8 and earlier of 
JomSocial, the popular community extension for Joomla!.

Successful exploitation of this exploit requires the site to be 
configured to allow users to upload video files directly, which is 
disabled by default. If this feature is enabled, any file uploaded via 
the "add video" upload form will end up in 
http://[victim]/images/originalvideos/[your account's user id]/[unique 
file name]. This folder is not protected with an index, so if indexes 
are allowed retrieving the shell's filename is trivial.

Listed on the JomSocial Changelog as "BUG: 4495" 
<http://www.jomsocial.com/docs/Change_Log#Version_1.8.9>

Timeline

     * Vulnerabilities Discovered: 26 September 2010
     * Vendor Notified: 27 September 2010
     * Vendor Response: 27 September 2010
     * Update Available: 28 September 2010
     * Disclosure: 30 September 2010

http://jeffchannell.com/Joomla/jomsocial-188-shell-upload-vulnerability.html