Joomla! Component GMapFP 3.30 - Arbitrary File Upload

vendor:

GMapFP

by:

ThelastVvV

7.5

CVSS

HIGH

Arbitrary File Upload

434

CWE

Product Name: GMapFP

Affected Version From: J3.30pro

Affected Version To: J3.30pro

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Ubuntu

2020

Joomla! Component GMapFP 3.30 – Arbitrary File Upload

The Joomla Gmapfp Components 3.x is allowing remote attackers to upload arbitrary files upload/shell upload due to the issues of unrestricted file uploads. An attacker can bypass the restriction by uploading files with double extensions such as file.php.png, file2.php.jpeg, file3.html.jpg, and file3.txt.jpg. The uploaded files can be accessed via the directory path http://127.0.0.1/images/gmapfp/file.php or http://127.0.0.1//images/gmapfp/file.php.png.

Mitigation:

Restrict file uploads to only allow certain file types and extensions, and ensure that the uploaded files are stored outside of the web root directory.

Source

Exploit-DB raw data:

# Exploit Title: Joomla! Component GMapFP 3.30 - Arbitrary File Upload
# Google Dork: inurl:''com_gmapfp''
# Date: 2020-03-25
# Exploit Author: ThelastVvV
# Vendor Homepage:https://gmapfp.org/
# Version:* Version J3.30pro
# Tested on: Ubuntu

# PoC:

http://127.0.0.1/index.php?option=comgmapfp&controller=editlieux&tmpl=component&task=upload_image

# you can bypass the the restriction by uploading your file.php.png , file2.php.jpeg , file3.html.jpg ,file3.txt.jpg 

# Dir File Path:

http://127.0.0.1/images/gmapfp/file.php 

or

http://127.0.0.1//images/gmapfp/file.php.png

# The Joomla  Gmapfp Components 3.x is allowing  
# remote attackers to upload arbitrary files upload/shell upload due the issues of unrestricted file uploads