<<< Date Index >>>     <<< Thread Index >>>

Re: file upload vulnerability in joomla media component



so an adminstrator that already has access to create html content in
com_content, among other places, has access to upload html files named
as image files?

i would hardly call that a serious issue.

On 19 Sep 2007 10:10:34 -0000, vinodsharma.mmit@xxxxxxxxx
<vinodsharma.mmit@xxxxxxxxx> wrote:
> OverView:
> There is a programming flaw in com_media component of joomla content 
> mangement system. Com_media component allows only image(.png, .jpeg, .gif) 
> file to be uploaded to the server. but flaw is that we can upload any html 
> files by changing it name something like example.html.png
>
> Affected Product: Joomla 1.0.13
>
> Proof of Concept:
>
> Below are the steps for POC:
>
> STEP1: first create an html file with any script
>       code.
> STEP2: Login into joomla with administrator
>       credentials and click on media manager
>       component.
> STEP3: use the image upload utility to upload
>       crafted png file with name index.html.png
> STEP4: joomla will not show any error and file is
>       uploaded.
> STEP5: Then just click on that file and script
>       code written in that file get executed by
>       user browser
>
> If we change the filename in step2 with example.html then try to upload,  
> joomla will show an error that file type is not supported.
>
> According to me its a serious issue in the joomla image upload alogorithm 
> that does`nt properly validate the format of file uploaded.
>
> If Com_media component is accessible to any user other then above issue can 
> be use to upload any html file remotely. i am not able to com_media component 
> access without administartor credentials.
>
>
>
>


-- 
In God we trust,
Everyone else must have an x.509 certificate.