1. Vulnerability Properties
Title: Bypass File Upload Restriction in JNews Joomla Component
CVE ID: CVE-2015-7341
CVSSv3 Base Score: 7.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L)
Advisory Release Date:
Advisory URL: https://labs.integrity.pt/advisories/cve-2015-7341
Credits: Discovery by Fábio Pires <fp[at]integrity.pt>, Filipe Reis <fr[at]integrity.pt>, Vitor Oliveira <vo[at]integrity.pt>
2. Vulnerability Summary
This vulnerability may lead a user to upload a malicious php file to gain control over the web server.
3. Technical Details
3.1 Unrestricted file upload [Subscribers]:
To this first upload form, we don't even need to bypass the upload filter.
Choose an .php file. Upload..
The test.php file will be upload to the server at the location: media/com_jnews/uploadmalicious.php
Please note that there is a simple bug here too, instead of saving the uploaded file into the upload folder, the component just attach the word upload at the beginning of the file name.
That's all folks. Just need to issue an request to your webshell.
3.2 Unrestricted file upload [Templates]:
Here you can upload a simple zip file with a malicious php file inside:
The content of the zip file needs to respect the following structure:
Note: The index.html file needs to be inside the zip file too.
That's it. Got your shell, just need to use it under /media/com_jnews/templates/<zip-folder>/<shell.php>
3.3 Bypass file extension filter
Some functions of Jnews allows you to upload files to the server, however they're filtered by their extension.
The code located at lib.upload.php is responsable for this validation and it's vulnerable. You can bypass it by simple upload a .htaccess file with php code inside or simple use the .php5 extension.
So let's check the code below
Default value of $exts is ["php","phtm","phtml","php3,"inc","exe","dmg"]
Since jnews are using an blacklist filter approach, you can simple upload a file that doesn't match with any of the extensions above.
4. Vulnerable Versions
- Update to 8.5.0
6. Vulnerability Timeline
- September 01, 2015 — Bug reported to Joobi
- September 02, 2015 —Jnews’s team replied asking more info
- September 24, 2015 —Jnews’s team releases a new version
- October 15, 2015 — Public disclosure