[VIM] Confirm: Joomla Component Expose <= RC35 Remote File Upload Vulnerability

George A. Theall theall at tenablesecurity.com
Wed Jul 18 20:56:20 UTC 2007

Milw0rm 4194 is valid. Looking at the code, we have this:

                                --- snip, snip, snip ---
   if (isset($_FILES['userfile'])) {
           $target_path = "../../../components/com_expose/expose/img/";
           $target_path = $target_path. basename( 

           $userfile_name  = (isset($_FILES['userfile']['name']) ? 
$_FILES['userfile']['name'] : "");
           $filename = split("\.", $userfile_name);

           if ((strcasecmp(substr($userfile_name,-4),'.jpg'))) {
           echo "<script>alert('The file must be jpg'); 

$target_path)) {
                                --- snip, snip, snip ---

As you can plainly see, the code doesn't exit if the upload's filename 
doesn't end with '.jpg' but happily continues to move the file over to 
the destination in a directory under the document root.

theall at tenablesecurity.com

More information about the VIM mailing list