[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 18 Jun 2015 15:56:42 -0700
From: Dean Pierce <pierce403@...il.com>
To: oss-security@...ts.openwall.com
Subject: Joomla! Administrator -> web shell esclalation
I'm not sure if this is more of a bug or an exploitation technique
(depending on Joomla's threat model), but once you have obtained
Administrator or Super User access to a Joomla server, you can
escalate to a shell on the server.
In the "media manager" options, you can add to the list of allowed
file extensions. Interestingly, if you try adding "php" to the
allowed file extensions, it still won't let you upload a web shell.
As it turns out, mod-php, by default on Ubuntu, will execute any files
with an extension that matches this regex : "^.ph(p[345]?|t|tml|ps)$"
If you rename your webshell shell.php3, and add "php3" to the allowed
file extensions, and it will upload just fine.
Possible fixes include tweaking the hardcoded blacklist such that it
matches the default mod-php regex, not serving uploads directly from
the web root, requiring shell access to modify the extension allow
list, etc.
Sent a bug report to Joomla! Security Strike Team on June 2nd, no response.
- DEAN
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
