[VIM] Confirm: Joomla Component Expose <= RC35 Remote File Upload Vulnerability
George A. Theall
theall at tenablesecurity.com
Wed Jul 18 20:56:20 UTC 2007
Milw0rm 4194 is valid. Looking at the code, we have this:
--- snip, snip, snip ---
if (isset($_FILES['userfile'])) {
$target_path = "../../../components/com_expose/expose/img/";
$target_path = $target_path. basename(
$_FILES['userfile']['name']);
$userfile_name = (isset($_FILES['userfile']['name']) ?
$_FILES['userfile']['name'] : "");
$filename = split("\.", $userfile_name);
if ((strcasecmp(substr($userfile_name,-4),'.jpg'))) {
echo "<script>alert('The file must be jpg');
document.location.href='uploadimg.php';</script>";
}
if(!move_uploaded_file($_FILES['userfile']['tmp_name'],
$target_path)) {
--- snip, snip, snip ---
As you can plainly see, the code doesn't exit if the upload's filename
doesn't end with '.jpg' but happily continues to move the file over to
the destination in a directory under the document root.
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list