Joomla! 2.5.x < 2.5.14 / 3.x < 3.1.5 .php. File Upload RCE - Nessus
Medium Plugin ID: 69273This page contains detailed information about the Joomla! 2.5.x < 2.5.14 / 3.x < 3.1.5 .php. File Upload RCE Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.
Plugin Overview
ID: 69273
Name: Joomla! 2.5.x < 2.5.14 / 3.x < 3.1.5 .php. File Upload RCE
Filename: joomla_2514.nasl
Vulnerability Published: 2013-08-01
This Plugin Published: 2013-08-08
Last Modification Time: 2022-04-11
Plugin Version: 1.29
Plugin Type: remote
Plugin Family: CGI abuses
Dependencies:
joomla_detect.nasl
Required KB Items [?]: installed_sw/Joomla!, Settings/ParanoidReport, www/PHP
Vulnerability Information
Severity: Medium
Vulnerability Published: 2013-08-01
Patch Published: 2013-08-01
CVE [?]: CVE-2013-5576
CPE [?]: cpe:/a:joomla:joomla!
Synopsis
The remote web server contains a PHP application that is affected by a remote code execution vulnerability.
Description
According to its self-reported version number, the Joomla! installation running on the remote web server is 2.5.x prior to 2.5.14 or 3.x prior to 3.1.5. It is, therefore, affected by a remote code execution vulnerability due to a failure by the administrator/components/com_media/helpers/media.php script to properly validate the extension of an uploaded file. This allows files with '.php.' extensions to be uploaded and placed in a user-accessible path. An attacker can exploit this issue, via a direct request to such an uploaded file, to execute arbitrary PHP code with the privileges of the web server.
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Upgrade to Joomla! version 2.5.14 / 3.1.5 or later. Alternatively, apply the patch referenced in the vendor advisory.
Public Exploits
Target Network Port(s): 80
Target Asset(s): Services/www
Exploit Available: True (Metasploit Framework, Immunity Canvas, D2 Elliot)
Exploit Ease: Exploits are available
Here's the list of publicly known exploits and PoCs for verifying the Joomla! 2.5.x < 2.5.14 / 3.x < 3.1.5 .php. File Upload RCE vulnerability:
- Metasploit: exploit/unix/webapp/joomla_media_upload_exec
[Joomla Media Manager File Upload Vulnerability] - D2 Elliot: joomla_2.5.13__3.1.4_file_upload.html
[Joomla 2.5.13 & 3.1.4 File Upload] - Immunity Canvas: CANVAS
Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.
Risk Information
CVSS Score Source [?]: CVE-2013-5576
CVSS V2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C
| CVSS Base Score: | 6.8 (Medium) |
| Impact Subscore: | 6.4 |
| Exploitability Subscore: | 8.6 |
| CVSS Temporal Score: | 5.6 (Medium) |
| CVSS Environmental Score: | NA (None) |
| Modified Impact Subscore: | NA |
| Overall CVSS Score: | 5.6 (Medium) |
| CVSS Base Score: | 6.3 (Medium) |
| Impact Subscore: | 3.4 |
| Exploitability Subscore: | 2.8 |
| CVSS Temporal Score: | 5.9 (Medium) |
| CVSS Environmental Score: | NA (None) |
| Modified Impact Subscore: | NA |
| Overall CVSS Score: | 5.9 (Medium) |
Go back to menu.
Plugin Source
This is the joomla_2514.nasl nessus plugin source code. This script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(69273);
script_version("1.29");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2013-5576");
script_bugtraq_id(61582);
script_xref(name:"CERT", value:"639620");
script_name(english:"Joomla! 2.5.x < 2.5.14 / 3.x < 3.1.5 .php. File Upload RCE");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by a
remote code execution vulnerability.");
script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the Joomla!
installation running on the remote web server is 2.5.x prior to 2.5.14
or 3.x prior to 3.1.5. It is, therefore, affected by a remote code
execution vulnerability due to a failure by the
administrator/components/com_media/helpers/media.php script to
properly validate the extension of an uploaded file. This allows files
with '.php.' extensions to be uploaded and placed in a user-accessible
path. An attacker can exploit this issue, via a direct request to such
an uploaded file, to execute arbitrary PHP code with the privileges of
the web server.
Note that Nessus has not tested for this issue but has instead relied
only on the application's self-reported version number.");
# https://developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?01c258b2");
# https://www.joomla.org/announcements/release-news/5506-joomla-2-5-14-released.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3653e23d");
# https://www.joomla.org/announcements/release-news/5505-joomla-3-1-5-stable-released.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7f239a18");
script_set_attribute(attribute:"solution", value:
"Upgrade to Joomla! version 2.5.14 / 3.1.5 or later. Alternatively,
apply the patch referenced in the vendor advisory.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-5576");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"d2_elliot_name", value:"Joomla 2.5.13 & 3.1.4 File Upload");
script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Joomla Media Manager File Upload Vulnerability');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:"CANVAS");
script_set_attribute(attribute:"vuln_publication_date", value:"2013/08/01");
script_set_attribute(attribute:"patch_publication_date", value:"2013/08/01");
script_set_attribute(attribute:"plugin_publication_date", value:"2013/08/08");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:joomla:joomla\!");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("joomla_detect.nasl");
script_require_keys("installed_sw/Joomla!", "www/PHP", "Settings/ParanoidReport");
script_require_ports("Services/www", 80);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");
app = "Joomla!";
get_install_count(app_name:app, exit_if_zero:TRUE);
port = get_http_port(default:80, php:TRUE);
install = get_single_install(
app_name : app,
port : port,
exit_if_unknown_ver : TRUE
);
if (report_paranoia < 2) audit(AUDIT_PARANOID);
version = install['version'];
install_loc = build_url(port:port, qs:install['path']);
fix = "2.5.14 / 3.1.5";
# Check granularity
if (version =~ "^2(\.5)?$" || version =~ "^3(\.1)?$")
audit(AUDIT_VER_NOT_GRANULAR, app, port, version);
# Versions 2.5.x < 2.5.14 and 3.x < 3.1.5 are vulnerable
if (
version =~ "^2\.5($|\.([0-9]|1([0-3]))($|[^0-9]))" ||
version =~ "^3\.0($|[^0-9])" ||
version =~ "^3\.1($|\.[0-4]($|[^0-9]))"
)
{
order = make_list("URL", "Installed version", "Fixed version");
report = make_array(
order[0], install_loc,
order[1], version,
order[2], fix
);
report = report_items_str(report_items:report, ordered_fields:order);
security_report_v4(port:port, extra:report, severity:SECURITY_WARNING);
exit(0);
}
audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_loc, version);
The latest version of this script can be found in these locations depending on your platform:
- Linux / Unix:
/opt/nessus/lib/nessus/plugins/joomla_2514.nasl - Windows:
C:\ProgramData\Tenable\Nessus\nessus\plugins\joomla_2514.nasl - Mac OS X:
/Library/Nessus/run/lib/nessus/plugins/joomla_2514.nasl
Go back to menu.
How to Run
Here is how to run the Joomla! 2.5.x < 2.5.14 / 3.x < 3.1.5 .php. File Upload RCE as a standalone plugin via the Nessus web user interface (https://localhost:8834/):
- Click to start a New Scan.
- Select Advanced Scan.
- Navigate to the Plugins tab.
- On the top right corner click to Disable All plugins.
- On the left side table select CGI abuses plugin family.
- On the right side table select Joomla! 2.5.x < 2.5.14 / 3.x < 3.1.5 .php. File Upload RCE plugin ID 69273.
- Specify the target on the Settings tab and click to Save the scan.
- Run the scan.
Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.
Basic usage:
/opt/nessus/bin/nasl joomla_2514.nasl -t <IP/HOST>Run the plugin with audit trail message on the console:
/opt/nessus/bin/nasl -a joomla_2514.nasl -t <IP/HOST>Run the plugin with trace script execution written to the console (useful for debugging):
/opt/nessus/bin/nasl -T - joomla_2514.nasl -t <IP/HOST>Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):
/opt/nessus/bin/nasl -K /tmp/state joomla_2514.nasl -t <IP/HOST>Go back to menu.
References
BID | SecurityFocus Bugtraq ID: CERT | Computer Emergency Response Team: See also:
- https://www.tenable.com/plugins/nessus/69273
- http://www.nessus.org/u?01c258b2
- http://www.nessus.org/u?7f239a18
- http://www.nessus.org/u?3653e23d
- https://vulners.com/nessus/JOOMLA_2514.NASL
- 22298 - Joomla! < 1.0.11 Unspecified Remote Code Execution
- 22297 - Joomla! < 1.0.11 administrator/index.php Input Weakness
- 66389 - Joomla! 2.5.x < 2.5.10 / 3.0.x < 3.0.4 Multiple Vulnerabilities
- 64634 - Joomla! 2.5.x < 2.5.9 / 3.0.x < 3.0.3 Multiple Vulnerabilities
- 73025 - Joomla! 3.x < 3.2.3 Multiple Vulnerabilities
- 78088 - Joomla! 2.5.x < 2.5.26 / 3.x < 3.2.6 / 3.3.x < 3.3.5 Multiple Vulnerabilities
- 86655 - Joomla! 3.x < 3.4.5 Multiple Vulnerabilities
- 87416 - Joomla! < 3.4.6 Multiple Vulnerabilities
- 94355 - Joomla! 3.4.4 < 3.6.4 Multiple Vulnerabilities
- 95916 - Joomla! < 3.6.5 Multiple Vulnerabilities
- 99691 - Joomla! < 3.7.0 Multiple Vulnerabilities
- 100385 - Joomla! 3.7.x < 3.7.1 fields.php getListQuery() Method SQLi
- 101300 - Joomla! 1.7.3 < 3.7.3 Multiple Vulnerabilities
- 103383 - Joomla! 1.5.0 < 3.8.0 Multiple Vulnerabilities
- 104478 - Joomla! 1.5.0 < 3.8.2 Multiple Vulnerabilities
- 106631 - Joomla! 1.5.0 < 3.8.4 Multiple Vulnerabilities
- 108564 - Joomla! 3.5.0 < 3.8.6 User Notes List View SQL Injection
- 121188 - Joomla! < 3.9.2 Multiple Stored XSS Vulnerabilities
- 123954 - Joomla! 1.5.0 < 3.9.5 Multiple Vulnerabilities
- 43636 - Joomla! / Mambo Component Multiple Parameter Local File Include Vulnerabilities
- 45490 - Joomla! / Mambo Component 'view' Parameter Local File Include
- 88489 - Joomla! User-Agent Object Injection RCE
- 33882 - Joomla! reset.php Reset Token Validation Forgery
- 25992 - Joomla! CMS com_search Component 'searchword' Parameter RCE
- 44689 - Joomla! JoomlaWorks AllVideos Plugin 'file' Parameter Directory Traversal
- 25823 - Joomla! com_content Component 'order' Parameter XSS
Version
This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file joomla_2514.nasl version 1.29. For more plugins, visit the Nessus Plugin Library.
Go back to menu.
