lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <c971c1680709191024i4160f7bcuc8e56c0a4e76e5ab@mail.gmail.com>
Date: Wed, 19 Sep 2007 10:24:52 -0700
From: "Gavin Hanover" <netmunky@...il.com>
To: "vinodsharma.mmit@...il.com" <vinodsharma.mmit@...il.com>,
	bugtraq@...urityfocus.com
Subject: Re: file upload vulnerability in joomla media component

so an adminstrator that already has access to create html content in
com_content, among other places, has access to upload html files named
as image files?

i would hardly call that a serious issue.

On 19 Sep 2007 10:10:34 -0000, vinodsharma.mmit@...il.com
<vinodsharma.mmit@...il.com> wrote:
> OverView:
> There is a programming flaw in com_media component of joomla content mangement system. Com_media component allows only image(.png, .jpeg, .gif) file to be uploaded to the server. but flaw is that we can upload any html files by changing it name something like example.html.png
>
> Affected Product: Joomla 1.0.13
>
> Proof of Concept:
>
> Below are the steps for POC:
>
> STEP1: first create an html file with any script
>       code.
> STEP2: Login into joomla with administrator
>       credentials and click on media manager
>       component.
> STEP3: use the image upload utility to upload
>       crafted png file with name index.html.png
> STEP4: joomla will not show any error and file is
>       uploaded.
> STEP5: Then just click on that file and script
>       code written in that file get executed by
>       user browser
>
> If we change the filename in step2 with example.html then try to upload,  joomla will show an error that file type is not supported.
>
> According to me its a serious issue in the joomla image upload alogorithm that does`nt properly validate the format of file uploaded.
>
> If Com_media component is accessible to any user other then above issue can be use to upload any html file remotely. i am not able to com_media component access without administartor credentials.
>
>
>
>


-- 
In God we trust,
Everyone else must have an x.509 certificate.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ