Joomla! 2.5.x < 2.5.14 / 3.x < 3.1.5 .php. File Upload RCE

medium Nessus Plugin ID 69273

Synopsis

The remote web server contains a PHP application that is affected by a remote code execution vulnerability.

Description

According to its self-reported version number, the Joomla! installation running on the remote web server is 2.5.x prior to 2.5.14 or 3.x prior to 3.1.5. It is, therefore, affected by a remote code execution vulnerability due to a failure by the administrator/components/com_media/helpers/media.php script to properly validate the extension of an uploaded file. This allows files with '.php.' extensions to be uploaded and placed in a user-accessible path. An attacker can exploit this issue, via a direct request to such an uploaded file, to execute arbitrary PHP code with the privileges of the web server.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Joomla! version 2.5.14 / 3.1.5 or later. Alternatively, apply the patch referenced in the vendor advisory.

See Also

http://www.nessus.org/u?01c258b2

http://www.nessus.org/u?3653e23d

http://www.nessus.org/u?7f239a18

Plugin Details

Severity: Medium

ID: 69273

File Name: joomla_2514.nasl

Version: 1.30

Type: remote

Family: CGI abuses

Published: 8/8/2013

Updated: 6/5/2024

Configuration: Enable paranoid mode, Enable thorough checks

Supported Sensors: Nessus

Enable CGI Scanning: true

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2013-5576

CVSS v3

Risk Factor: Medium

Base Score: 6.3

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:joomla:joomla%5c%21

Required KB Items: www/PHP, Settings/ParanoidReport, installed_sw/Joomla!

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/1/2013

Vulnerability Publication Date: 8/1/2013

Exploitable With

CANVAS (CANVAS)

Metasploit (Joomla Media Manager File Upload Vulnerability)

Elliot (Joomla 2.5.13 & 3.1.4 File Upload)

Reference Information

CVE: CVE-2013-5576

BID: 61582

CERT: 639620