JE Messenger 1.0 Arbitrary File Upload Vulnerability
 
 Name              JE Messenger
 Vendor            http://joomlaextensions.co.in
 Versions Affected 1.0
 
 Author            Salvatore Fresta aka Drosophila
 Website           http://www.salvatorefresta.net
 Contact           salvatorefresta [at] gmail [dot] com
 Date              2010-12-09
 
X. INDEX
 
 I.    ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.    FIX
  
 
I. ABOUT THE APPLICATION
________________________
 
JE Messenger is a Joomla's component.
 
 
II. DESCRIPTION
_______________
 
A parameter is not properly sanitised before  being used
from the native Joomla's upload function.
 
 
III. ANALYSIS
_____________
 
Summary:
 
 A) Arbitrary File Upload
  
 
A) Arbitrary File Upload
________________________
 
A logic error in the save function  (compose.php)  allows
to a registered user to upload a file with any extension.
The check for a valid file's extension is made  after the
upload and in the failure case, the file doesn't  removed
from the server. This   can   be   exploited  to  execute
arbitrary PHP code by uploading a PHP file.
 
The file's name is different after the upload:
 
$file['name'] = time().'in'.$file['name'];
 
Example:
 
Original file's name: shell.php
Uploaded file's name: 1291907399inshell.php
 
Where  1291907399  is  the  value returns from the time()
function.
 
The file will be uploaded to the following directory:
 
$dest = JPATH_ROOT.DS.'components/'.$option.'/assets/images/'.$file['name'];
 
The default destination is:
 
http://site/path/components/com_jemessenger/assets/images/
 
 
IV. SAMPLE CODE
_______________
 
A) Arbitrary File Upload
 
1 - Login to target website's Joomla
2 - Go to http://site/path/index.php?option=com_jemessenger&view=compose
3 - Compile a valid form and select an arbitrary file
4 - Go to http://site/path/components/com_jemessenger/assets/images/filename
 
 
Try a little bruteforce to find the value  returned  from
the time() function.
 
 
V. FIX
______
 
No fix.