Not too long ago, while doing some routine pentesting of my site, I came across two vulnerabilities in the Joomla! component sh404sef.
The first exploit allowed for scripts to be run in the administrator side of the site by sending specially crafted requests to a site running sh404sef.
Once this is done, any administrator that visits the URL Manager and looks at the 404 Errors will end up executing this script with rights equal to the admin. I leave it as an exercise to the reader to figure out the next step.
The second vulnerability I found is pretty simple, and is only useful for reducing the amount of effort needed for further penetration. By visiting the url:
... an attacker is presented with an interesting error:
Fatal error: Class 'sef_sh404sef' not found in /home/****/public_html/administrator/components/com_sh404sef/sh404sef.class.php(3203) : eval()'d code on line 1
This gives an attacker the real user name of the user on the host, most useful for attempts at gaining FTP or SFTP access.
These vulnerabilities are fixed as of version 1.0.20 Beta Build 237
- Vulnerabilities Discovered: 17 May 2009
- Vendor Notified: 20 May 2009
- Vendor Response: 30 May 2009
- Update Available: 8 Jun 2009
- Disclosure: 8 Jun 2009