header-logo
Suggest Exploit
vendor:
Expose
by:
N/A
CVSS
HIGH
Remote Permission Bypass/Arbitrary File Upload
CWE
Product Name: Expose
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:

Joomla Component Expose <= RC35 Remote Permission Bypass/Arbitrary File Upload Vulnerability

The Joomla component Expose <= RC35 has a vulnerability that allows for remote permission bypass and arbitrary file upload. The vulnerable file is /com_expose/uploadimg.php. The target_path variable is set to ../../../components/com_expose/expose/img/. If the uploaded file does not have a .jpg extension, an alert is displayed. An attacker can upload a PHP shell using the link http://site.com/administrator/components/com_expose/uploadimg.php. The shell file can be found at http://site.com/components/com_expose/expose/img/

Mitigation:

To mitigate this vulnerability, it is recommended to update to a patched version of the Joomla component Expose. Additionally, access to the uploadimg.php file should be restricted to authorized users only.
Source

Exploit-DB raw data:

   				   
                   		   HHHHHHH HHHHHH HH      HHHHHHHH HHHHHH HHHHHHHH IHHI HH    HH HHHHHHHH
				   HH   HH HH  HH HH      HHHHHHHH HH       IHHI    HH  HHH   HH HHHHHHHH
				   HH   HH HH  HH HH      HH       HH        HH     HH  HHHH  HH HH
				   HHHHHHH HHHHHH HH      HHHHHHH  HHHHHH    HH     HH  HH HH HH HHHHHHHH
				   HH	   HH  HH HH      HH           HH    HH     HH  HH  HHHH HH
				   HH	   HH  HH HH      HHHHHHHH     HH    HH     HH  HH   HHH HHHHHHHH
				   HH	   HH  HH HHHHHHH HHHHHHHH HHHHHH    HH    IHHI HH    HH HHHHHHHH

================================================================================================================
++ Joomla Component Expose <= RC35 Remote Permission Bypass/Arbitrary File Upload Vulnerability		      ++
++ http://joomlacode.org/gf/download/frsrelease/726/10814/com_expose_small_rc4.zip			      ++
----------------------------------------------------------------------------------------------------------------
++ in : /com_expose/uploadimg.php 									      ++
++ =>  $target_path = "../../../components/com_expose/expose/img/";					      ++
++ if((strcasecmp(substr($userfile_name,-4),'.jpg'))){ echo "<script>alert('The file must be jpg');</script>";++
++ File Upload : <?php echo $target_path; ?>                                                                  ++
++ Attacker Got Permission Bypass and upload files                                                            ++
----------------------------------------------------------------------------------------------------------------
++ Arbitrary File Upload										      ++
++ use this link to upload your phpshell [ phpshell.php.jpg ]                                                 ++
++ http://site.com/administrator/components/com_expose/uploadimg.php                                          ++
++ You wil have shell file in this page                                                                       ++
++ http://site.com/components/com_expose/expose/img/                                                          ++
++ Example : http://ayazshah.com/                                                                             ++
++ Dork : "index.php?option=com_expose"                                                                       ++
----------------------------------------------------------------------------------------------------------------
++ Cold z3ro                                                                                                  ++
++ http://hackteach.org                                                                                       ++
----------------------------------------------------------------------------------------------------------------
++ Greets : Hackteach Members , Xp10.Com 								      ++
++ Greets 2 arab Coders : ValentinoLove,Gold M,Sniper-sa,dOCnOK,Hammam,Pal-booter Coders speciale Mr.jerusalem++
================================================================================================================


				  HH  HH HHHHHH HHHHHH HH   HH   HHHHHHHH HHHHHHHH HHHHHHH HHHHHH HH  HH
			  	  HH  HH HH  HH HHHHH  HH  HH	   IHHI   HHHHHHH  HH   HH HHHHH  HH  HH
				  HH  HH HH  HH HH     HH HH        HH    HH	   HH   HH HH     HH  HH
				  HHHHHH HHHHHH HH     HHHH  HHHHH  HH    HHHHHHH  HH   HH HH     HHHHHH
				  HH  HH HH  HH HH     HH HH	    HH    HH       HHHHHHH HH     HH  HH
				  HH  HH HH  HH HHHHH  HH  HH       HH    HHHHHHHH HH   HH HHHHH  HH  HH
				  HH  HH HH  HH HHHHHH HH   HH      HH    HHHHHHHH HH   HH HHHHHH HH  HH

# milw0rm.com [2007-07-18]