Re: file upload vulnerability in joomla media component

["Gavin Hanover" <netmunky () gmail com>]

so an adminstrator that already has access to create html content in
com_content, among other places, has access to upload html files named
as image files?

i would hardly call that a serious issue.

On 19 Sep 2007 10:10:34 -0000, vinodsharma.mmit () gmail com
<vinodsharma.mmit () gmail com> wrote:
> OverView:
> There is a programming flaw in com_media component of joomla content mangement system. Com_media component allows 
> only image(.png, .jpeg, .gif) file to be uploaded to the server. but flaw is that we can upload any html files by 
> changing it name something like example.html.png
>
> Affected Product: Joomla 1.0.13
>
> Proof of Concept:
>
> Below are the steps for POC:
>
> STEP1: first create an html file with any script
>       code.
> STEP2: Login into joomla with administrator
>       credentials and click on media manager
>       component.
> STEP3: use the image upload utility to upload
>       crafted png file with name index.html.png
> STEP4: joomla will not show any error and file is
>       uploaded.
> STEP5: Then just click on that file and script
>       code written in that file get executed by
>       user browser
>
> If we change the filename in step2 with example.html then try to upload,  joomla will show an error that file type is 
> not supported.
>
> According to me its a serious issue in the joomla image upload alogorithm that does`nt properly validate the format 
> of file uploaded.
>
> If Com_media component is accessible to any user other then above issue can be use to upload any html file remotely. 
> i am not able to com_media component access without administartor credentials.


-- 
In God we trust,
Everyone else must have an x.509 certificate.