Filipe Reis

Filipe Reis

Pentester, Security Researcher, Bug Hunter and Organizer of BSidesLisbon

CVE-2015-7341 - Bypass File Upload Restriction in JNews Joomla Component

1 minute read

1. Vulnerability Properties

  • Title: Bypass File Upload Restriction in JNews Joomla Component
  • CVE ID: CVE-2015-7341
  • CVSSv3 Base Score: 7.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L)
  • Vendor: Joobi
  • Products: JNews
  • Advisory Release Date: 15 October 2015
  • Advisory URL: https://labs.integrity.pt/advisories/cve-2015-7341
  • Credits: Discovery by Fábio Pires <fp[at]integrity.pt>, Filipe Reis <fr[at]integrity.pt>, Vitor Oliveira <vo[at]integrity.pt>

2. Vulnerability Summary

This vulnerability may lead a user to upload a malicious php file to gain control over the web server.

3. Technical Details

3.1- Unrestricted file upload [Subscribers]:

To this first upload form, we don’t even need to bypass the upload filter. Go to:

Administration > Components > Jnews > Subscribers > Import

image1

Choose an .php file. Upload.

image2

The test.php file will be upload to the server at the location: media/com_jnews/uploadtest.php

Please note that there is a simple bug here too, instead of saving the uploaded file into the upload folder, the component just attach the word *upload at the beginning of the file name.

That’s all folks. Just need to issue an request to your webshell.

  • GET Request: /bin/ls -la ../.. && id

image3

  • Server Response of the previous command:

image4

3.2- Unrestricted file upload [Templates]:

Here you can upload a simple zip file with a malicious php file inside:

image5

The content of the zip file needs to respect the following structure:

image6

Note: The index.html file needs to be inside the zip file too.

That’s it. Got your shell, just need to use it under /media/com_jnews/templates/<zip-folder>/<shell.php>

  • GET Request: /bin/ls -la ../.. && id

image7

  • Server Response of the previous command:

image8

3.3- Bypass file extension filter

Some functions of Jnews allows you to upload files to the server, however they’re filtered by their extension.

The code located at lib.upload.php is responsable for this validation and it’s vulnerable. You can bypass it by simple upload a .htaccess file with php code inside or simple use the .php5 extension.

So let’s check the code below:

image9

Default value of $exts is [“php”,”phtm”,”phtml”,”php3,”inc”,”exe”,”dmg”]

Since jnews are using an blacklist filter approach, you can simple upload a file that doesn’t match with any of the extensions above.

4. Vulnerable Versions

  • 8.3.1

5. Solution

  • Update to 8.5.0

6. Vulnerability Timeline

  • September 01, 2015 — Bug reported to Joobi
  • September 02, 2015 — Jnews’s team replied asking more info
  • September 24, 2015 — Jnews’s team releases a new version
  • October 15, 2015 — Public disclosure

Categories:

Updated: