Re: file upload vulnerability in joomla media component

To: "vinodsharma.mmit@xxxxxxxxx" <vinodsharma.mmit@xxxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: file upload vulnerability in joomla media component
From: "Gavin Hanover" <netmunky@xxxxxxxxx>
Date: Wed, 19 Sep 2007 10:24:52 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=aEvBJQMceXN6f18UNR3L8jp8s7qpe7Z1F1XW1Axwbi4=; b=cAqDfqRVWvEaJRNPEwHY9gcIvK3msegxiqaeKu56Qm6LdOmxD8ZBxiwGz/Gtw7R9ZuYqajtEP07/3T/Yck34go73nQAcSGZuYURwE2HZAzgOh8vqRy5htVJzgx7vexbepOBtHtVD+ctOpoP+qWk8Aj2Vfhaeq+vPmlVzHeNgs2Q=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=FdlMliDGlRUyPQC6jVqe5rREBeZnrXAb0qH/mctTkVBMtRjPepCu92fJQjtxbctqLMg6rPbqUWSXH4wU1XA6KRS/mS8+p4p5OP/MOMjePGdhJitRoE+H/CqfyYJeM5ef1YMpUuY4sdmnTAxrlFySMs6QgxRXdl99DHG0e3ojhqE=
In-reply-to: <20070919101034.912.qmail@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20070919101034.912.qmail@xxxxxxxxxxxxxxxxx>

so an adminstrator that already has access to create html content in
com_content, among other places, has access to upload html files named
as image files?

i would hardly call that a serious issue.

On 19 Sep 2007 10:10:34 -0000, vinodsharma.mmit@xxxxxxxxx
<vinodsharma.mmit@xxxxxxxxx> wrote:
> OverView:
> There is a programming flaw in com_media component of joomla content 
> mangement system. Com_media component allows only image(.png, .jpeg, .gif) 
> file to be uploaded to the server. but flaw is that we can upload any html 
> files by changing it name something like example.html.png
>
> Affected Product: Joomla 1.0.13
>
> Proof of Concept:
>
> Below are the steps for POC:
>
> STEP1: first create an html file with any script
>       code.
> STEP2: Login into joomla with administrator
>       credentials and click on media manager
>       component.
> STEP3: use the image upload utility to upload
>       crafted png file with name index.html.png
> STEP4: joomla will not show any error and file is
>       uploaded.
> STEP5: Then just click on that file and script
>       code written in that file get executed by
>       user browser
>
> If we change the filename in step2 with example.html then try to upload,  
> joomla will show an error that file type is not supported.
>
> According to me its a serious issue in the joomla image upload alogorithm 
> that does`nt properly validate the format of file uploaded.
>
> If Com_media component is accessible to any user other then above issue can 
> be use to upload any html file remotely. i am not able to com_media component 
> access without administartor credentials.
>
>
>
>


-- 
In God we trust,
Everyone else must have an x.509 certificate.

References:
- file upload vulnerability in joomla media component
  - From: vinodsharma . mmit

Prev by Date: Multiple vulnerabilities in the gMotor2 engine
Next by Date: Re: Re: Re: Toms Gstebuch 1.00 - XSS
Previous by thread: file upload vulnerability in joomla media component
Next by thread: Re: Re: file upload vulnerability in joomla media component
Index(es):
- Date
- Thread