Monday, 04 October 2010 00:00

SOBI2's admin panel doesn't explicitly check for _POST requests, nor does it have a nonce.

http://[victim]/administrator/index.php?stpl=default&returnTask=editTemplate&task=saveConfig&option=com_sobi2&editing=config&templateContent=[URL-Encoded PHP]

Successful exploitation of this exploit requires a site administrator to visit a malicious URL while logged in to the backend.

The location of the overwritten file in this case is components/com_sobi2/templates/default/sobi2.details.tmpl.php

Timeline

  • Vulnerabilities Discovered: 1 October 2010
  • Vendor Notified: 1 October 2010
  • Vendor Response: 1 October 2010
  • Update Available: 4 October 2010
  • Disclosure: 4 October 2010
Last Updated on Monday, 04 October 2010 13:22
 

Add your comment

Your name:
Comment:
  The word for verification. Lowercase letters only with no spaces.
Word verification:

The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. Jeff Channell is not affiliated with or endorsed by Open Source Matters or the Joomla!® Project.

Santorum
Joomla Extensions