Bugtraq mailing list archives
Joomla! JomSocial component < 3.1.0.1 - Remote code execution
From: Matias Fontanini <matias.fontanini () gmail com>
Date: Thu, 30 Jan 2014 14:47:58 -0300
------------------------------------------------------------- Joomla! JomSocial component < 3.1.0.1 - Remote code execution ------------------------------------------------------------- == Description == - Software link: http://www.jomsocial.com/ - Affected versions: All versions >= 2.6 and < 3.1.0.1 are vulnerable. - Vulnerability discovered by: Matias Fontanini and Gaston Traberg == Vulnerability == The vulnerability is located in the "photos" controller, "ajaxUploadAvatar" task. The parameters parsed by the "Azrul" plugin are not properly sanitized before being used in a call to the "call_user_func_array" PHP function. This allows an attacker to execute arbitrary static class functions, using any amount of user-provided parameters. This can be leveraged by calling the "escape" method in the "CStringHelper" class to execute arbitrary PHP code. In order to exploit the vulnerability, no authentication is required. == Proof of concept == See the attached python script which allows executing arbitrary code on a Jommla! application which has the JomSocial component installed. == Solution == Upgrade the product to the 3.1.0.1 version. == Report timeline == [2013-12-12] Vulnerability reported to vendor. [2013-12-12] Developers answered back. [2013-12-23] JomSocial 3.1.0.1 was released, which fixes the the reported issue. [2014-01-30] Public disclosure.
Attachment:
exploit.py
Description:
Current thread:
- Joomla! JomSocial component < 3.1.0.1 - Remote code execution Matias Fontanini (Jan 31)