Joomla! Administrator -> web shell esclalation

[Dean Pierce <pierce403 () gmail com>]

I'm not sure if this is more of a bug or an exploitation technique
(depending on Joomla's threat model), but once you have obtained
Administrator or Super User access to a Joomla server, you can
escalate to a shell on the server.

In the "media manager" options, you can add to the list of allowed
file extensions.  Interestingly, if you try adding "php" to the
allowed file extensions, it still won't let you upload a web shell.

As it turns out, mod-php, by default on Ubuntu, will execute any files
with an extension that matches this regex : "^.ph(p[345]?|t|tml|ps)$"
If you rename your webshell shell.php3, and add "php3" to the allowed
file extensions, and it will upload just fine.

Possible fixes include tweaking the hardcoded blacklist such that it
matches the default mod-php regex, not serving uploads directly from
the web root, requiring shell access to modify the extension allow
list, etc.

Sent a bug report to Joomla! Security Strike Team on June 2nd, no response.

  - DEAN