Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: CMS / Portals :: tb12577.htm

Joomla media component file upload vulnerability



file upload vulnerability in joomla media component
file upload vulnerability in joomla media component



OverView:
There is a programming flaw in com_media component of joomla content mangement system. Com_media component allows only image(.png, .jpeg, .gif) file to be uploaded to the server. but flaw is that we can upload any html files by changing it name something like example.html.png
 
Affected Product: Joomla 1.0.13

Proof of Concept:

Below are the steps for POC:

STEP1: first create an html file with any script 
       code.
STEP2: Login into joomla with administrator 
       credentials and click on media manager 
       component.
STEP3: use the image upload utility to upload  
       crafted png file with name index.html.png
STEP4: joomla will not show any error and file is 
       uploaded. 
STEP5: Then just click on that file and script  
       code written in that file get executed by 
       user browser
 
If we change the filename in step2 with example.html then try to upload,  joomla will show an error that file type is not supported.
 
According to me its a serious issue in the joomla image upload alogorithm that does`nt properly validate the format of file uploaded.

If Com_media component is accessible to any user other then above issue can be use to upload any html file remotely. i am not able to com_media component access without administartor credentials.

   
 


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH