13 Aralık 2015 Pazar

Joomla <= (Shape 5 MP3 Player 2.0) Local File Disclosure Exploit (0day)

~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Author : KnocKout
[~] Contact : knockout@e-mail.com.tr
[~] Skype : knockoutr@msn.com
[~] HomePage : http://milw00rm.com - http://h4x0resec.blogspot.com
[~] Greetz :  b3mb4m, ZoRLu, KedAns-Dz ( milw00rm.com )
===================================================================
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|~Web App. : Joomla
|~Plugin : Shape 5 MP3 Player 2.0
|~Affected Version : 2.0
|~Software  : http://extensions.joomla.org/extension/shape-5-mp3-player
|~RISK : High
|~Google Dork :  inurl:"php?fileUrl="
|~Google Dork :  inurl:plugins/content/s5_media_player
===================================================================
======================Info=========================================
helper.php unconsciously encoded.
This is a very simple security measures, It was exposed to attack.
if base64 encrypting the file names
'fileurl'  function is used, and local files will be easily exposed.
============ Error line's in helper.php ===========================
<?php
$path = base64_decode($_REQUEST['fileurl']);
$base = basename($path);
$path1 = str_replace(' ','%20',$path);

header('Content-Description: File Transfer');
header('Content-Type:application/octet-stream');
header('Content-Transfer-Encoding: Binary');
header("Content-disposition: attachment; filename=\"".basename($path)."\"");
header('Content-Length: ' . filesize($path));
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
readfile($path1);
exit;
?>
======================================================================
======================== Tested on Demos  ============================
www.kraskinotv.ru
www.alexandra-pavlyuk.ru
www.kovspas.ru
www.asetkz.ru
www.cciheredia.cr
www.helicopterspray.com
www.kpu-karawang.go.id
www.practicalbioethics.org
www.iccfoundation.us
www.mixticius.net
www.stbarnabasdulwich.org
www.ahavathachim.com
www.dcbaptist.org
www.stjohnmansfield.org
www.ilyda.com
www.mountainviewchapel.com
www.biamd.org
www.lavingtonunited.org
www.cypressbible.org
www.brianmcgilloway.com
www.toneside.com
..
etc
..

Details: https://www.milw00rm.com/exploits/11867

Hiç yorum yok:

Yorum Gönder