Menu

Search for hundreds of thousands of exploits

"Joomla! 3.0.3 - 'remember.php' PHP Object Injection"

Author

Exploit author

EgiX

Platform

Exploit platform

php

Release date

Exploit published date

2013-04-26

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
------------------------------------------------------------------
Joomla! <= 3.0.3 (remember.php) PHP Object Injection Vulnerability
------------------------------------------------------------------


[-] Software Link:

http://www.joomla.org/


[-] Affected Versions:

Version 3.0.3 and earlier 3.0.x versions.
Version 2.5.9 and earlier 2.5.x versions.


[-] Vulnerability Description:

The vulnerable code is located in /plugins/system/remember/remember.php:

34.	$hash = JApplication::getHash('JLOGIN_REMEMBER');
35.	 
36.	if ($str = JRequest::getString($hash, '', 'cookie', JREQUEST_ALLOWRAW | JREQUEST_NOTRIM))
37.	{
38.	    // Create the encryption key, apply extra hardening using the user agent string.
39.	    // Since we're decoding, no UA validity check is required.
40.	    $privateKey = JApplication::getHash(@$_SERVER['HTTP_USER_AGENT']);
41.	 
42.	    $key = new JCryptKey('simple', $privateKey, $privateKey);
43.	    $crypt = new JCrypt(new JCryptCipherSimple, $key);
44.	    $str = $crypt->decrypt($str);
45.	    $cookieData = @unserialize($str);

User input passed through cookies is not properly sanitized before being used in an unserialize()
call at line 45. This could be exploited to inject arbitrary PHP objects into the application scope.
Successful exploitation of this vulnerability requires authentication because the attacker needs
to know the "hash string" used to read the cookie parameter at line 36.


[-] Solution:

Upgrade to version 2.5.10, 3.0.4 or 3.1.0.


[-] Disclosure Timeline:

[04/12/2012] - Vendor alerted for a possible vulnerability
[13/02/2013] - Vulnerability confirmed and proof of concept sent to the vendor
[24/04/2013] - Vendor update released
[26/04/2013] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2013-3242 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2013-04
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting" webapps php "Hemant Patidar"
2020-12-02 "WordPress Plugin Wp-FileManager 6.8 - RCE" webapps php "Mansoor R"
2020-12-02 "WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution" webapps php zetc0de
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover" webapps php "Mufaddal Masalawala"
2020-12-02 "Simple College Website 1.0 - 'page' Local File Inclusion" webapps php Mosaaed
2020-12-02 "Car Rental Management System 1.0 - SQL Injection / Local File include" webapps php Mosaaed
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "WonderCMS 3.1.3 - Authenticated Remote Code Execution" webapps php zetc0de
2020-12-01 "Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS" webapps php yunaranyancat
Release Date Title Type Platform Author
2019-10-07 "vBulletin 5.0 < 5.5.4 - 'updateAvatar' Authenticated Remote Code Execution" webapps php EgiX
2013-11-08 "Vanilla Forums 2.0 < 2.0.18.5 - 'class.utilitycontroller.php' PHP Object Injection" webapps php EgiX
2013-08-02 "vTiger CRM 5.4.0 SOAP - Multiple Vulnerabilities" webapps php EgiX
2013-04-26 "Joomla! 3.0.3 - 'remember.php' PHP Object Injection" webapps php EgiX
2013-02-27 "Joomla! 3.0.2 - 'highlight.php' PHP Object Injection" webapps php EgiX
2013-02-07 "CubeCart 5.2.0 - 'cubecart.class.php' PHP Object Injection" webapps php EgiX
2013-01-28 "DataLife Engine 9.7 - 'preview.php' PHP Code Injection" webapps php EgiX
2012-11-01 "Invision Power Board (IP.Board) 3.3.4 - 'Unserialize()' PHP Code Execution" webapps php EgiX
2012-07-04 "Tiki Wiki CMS Groupware 8.3 - 'Unserialize()' PHP Code Execution" webapps php EgiX
2012-06-23 "SugarCRM CE 6.3.1 - 'Unserialize()' PHP Code Execution" webapps php EgiX
2012-05-02 "OpenConf 4.11 - '/author/edit.php' Blind SQL Injection" webapps php EgiX
2012-04-23 "WebCalendar 1.2.4 - Remote Code Execution" webapps php EgiX
2012-03-23 "PHPFox 3.0.1 - 'ajax.php' Remote Command Execution" webapps php EgiX
2012-01-27 "vBSEO 3.6.0 - 'proc_deutf()' Remote PHP Code Injection (Metasploit)" webapps php EgiX
2012-01-23 "WordPress Plugin Kish Guest Posting 1.0 - Arbitrary File Upload" webapps php EgiX
2012-01-19 "appRain CMF 0.1.5 - 'Uploadify.php' Unrestricted Arbitrary File Upload" webapps php EgiX
2011-12-22 "Tiki Wiki CMS Groupware 8.2 - 'snarf_ajax.php' Remote PHP Code Injection" webapps php EgiX
2011-12-07 "Traq 2.3 - Authentication Bypass / Remote Code Execution" webapps php EgiX
2011-11-30 "WikkaWiki 1.3.2 - Multiple Vulnerabilities" webapps php EgiX
2011-11-23 "PmWiki 2.2.34 - 'pagelist' Remote PHP Code Injection (1)" webapps php EgiX
2011-11-19 "Support Incident Tracker 3.65 - 'translate.php' Remote Code Execution" webapps php EgiX
2011-11-16 "FreeWebShop 2.2.9 R2 - 'ajax_save_name.php' Remote Code Execution" webapps php EgiX
2011-11-13 "WordPress Plugin Zingiri 2.2.3 - 'ajax_save_name.php' Remote Code Execution" webapps php EgiX
2011-11-05 "ZenPhoto 1.4.1.4 - 'ajax_create_folder.php' Remote Code Execution" webapps php EgiX
2011-11-05 "PHPMyFAQ 2.7.0 - 'ajax_create_folder.php' Remote Code Execution" webapps php EgiX
2011-11-05 "aidiCMS 3.55 - 'ajax_create_folder.php' Remote Code Execution" webapps php EgiX
2011-11-04 "Ajax File and Image Manager 1.0 Final - Remote Code Execution" webapps php EgiX
2011-10-27 "eFront 3.6.10 (build 11944) - Multiple Vulnerabilities" webapps php EgiX
2011-10-23 "phpLDAPadmin 1.2.1.1 - Remote PHP Code Injection (1)" webapps php EgiX
2011-10-18 "Dolphin 7.0.7 - 'member_menu_queries.php' Remote PHP Code Injection" webapps php EgiX 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected