Monday, 13 September 2010 11:46

Mosets Tree suffers from a shell upload vulnerabilty caused by improperly checking the filetype of uploaded images.

Tools used:

  1. Firefox web browser
  2. Firebug extension
  3. GIMP image editor

Steps to Reproduce:

  1. Open GIMP, create a new image.
  2. Save image as a GIF file, with the shell as the comment (surrounded by tags).
  3. Rename GIF to shell.gif.php
  4. Create an account on the target site
  5. Navigate to the mtree entry form
  6. Fill out all mandatory form fields
  7. At the bottom of the form you should be able to add images. Add your shell.
  8. Open Firebug and navigate to the Console tab
  9. At the bottom of the console, type this in & hit enter:
    (document.getElementById('adminForm')).submit();
  10. After the form submits, you should be on your user listing page
  11. Navigate to http://{target}/components/com_mtree/img/listings/o/{id}.php where {id} is the id number of your new entry

Caveats:

  • Requires a registered account
  • The shell will have GIF garbage before the PHP code, so headers will already be sent...
  • Works if image processing is set to GD or ImageMagick. NetPbm untested.

Timeline

  • Vulnerabilities Discovered: 6 September 2010
  • Vendor Notified: 8 September 2010
  • Vendor Response: 9 September 2010
  • Update Available: 13 September 2010
  • Disclosure: 13 September 2010
Last Updated on Thursday, 30 September 2010 17:34
 

Add your comment

Your name:
Comment:
  The word for verification. Lowercase letters only with no spaces.
Word verification:

The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. Jeff Channell is not affiliated with or endorsed by Open Source Matters or the Joomla!® Project.

Santorum
Joomla Extensions