Re: file upload vulnerability in joomla media component
so an adminstrator that already has access to create html content in
com_content, among other places, has access to upload html files named
as image files?
i would hardly call that a serious issue.
On 19 Sep 2007 10:10:34 -0000, vinodsharma.mmit@xxxxxxxxx
<vinodsharma.mmit@xxxxxxxxx> wrote:
> OverView:
> There is a programming flaw in com_media component of joomla content
> mangement system. Com_media component allows only image(.png, .jpeg, .gif)
> file to be uploaded to the server. but flaw is that we can upload any html
> files by changing it name something like example.html.png
>
> Affected Product: Joomla 1.0.13
>
> Proof of Concept:
>
> Below are the steps for POC:
>
> STEP1: first create an html file with any script
> code.
> STEP2: Login into joomla with administrator
> credentials and click on media manager
> component.
> STEP3: use the image upload utility to upload
> crafted png file with name index.html.png
> STEP4: joomla will not show any error and file is
> uploaded.
> STEP5: Then just click on that file and script
> code written in that file get executed by
> user browser
>
> If we change the filename in step2 with example.html then try to upload,
> joomla will show an error that file type is not supported.
>
> According to me its a serious issue in the joomla image upload alogorithm
> that does`nt properly validate the format of file uploaded.
>
> If Com_media component is accessible to any user other then above issue can
> be use to upload any html file remotely. i am not able to com_media component
> access without administartor credentials.
>
>
>
>
--
In God we trust,
Everyone else must have an x.509 certificate.