[VIM] Confirm: Joomla Component Expose <= RC35 Remote File Upload Vulnerability

George A. Theall theall at tenablesecurity.com
Wed Jul 18 20:56:20 UTC 2007


Milw0rm 4194 is valid. Looking at the code, we have this:

                                --- snip, snip, snip ---
   if (isset($_FILES['userfile'])) {
           $target_path = "../../../components/com_expose/expose/img/";
           $target_path = $target_path. basename( 
$_FILES['userfile']['name']);

           $userfile_name  = (isset($_FILES['userfile']['name']) ? 
$_FILES['userfile']['name'] : "");
           $filename = split("\.", $userfile_name);


           if ((strcasecmp(substr($userfile_name,-4),'.jpg'))) {
           echo "<script>alert('The file must be jpg'); 
document.location.href='uploadimg.php';</script>";
           }


           if(!move_uploaded_file($_FILES['userfile']['tmp_name'], 
$target_path)) {
                                --- snip, snip, snip ---

As you can plainly see, the code doesn't exit if the upload's filename 
doesn't end with '.jpg' but happily continues to move the file over to 
the destination in a directory under the document root.


George
-- 
theall at tenablesecurity.com


More information about the VIM mailing list