Joomla <= (fsave Plugin) Local File Disclosure Vulnerability
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Author : KnocKout
[~] Contact : knockout@e-mail.com.tr
[~] Skype : knockoutr@msn.com
[~] Greetz : b3mb4m, ZoRLu, Sen Haxor, Ne0-h4ck3r, KedAns-Dz ( milw00rm.com )
===================================================================
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|~Web App. : Joomla
|~Plugin : fsave
|~Affected Version : 2.0
|~Software : N/A
|~RISK : High
|~Google Dork : inurl:plugins/content/fsave/
===================================================================
======================Info=========================================
can be easily found in any database password for this "configuration.php" will be sufficient to read
possible to read the file on the local database.
incorrect coding and unconscious in it causing "download.php" file.
that's laughter reason codes:)
============ Error line's in download.php ===========================
<?php
define('JPATH_BASE', dirname(dirname(dirname(dirname(__FILE__)))));
$file = JPATH_BASE."/".$_GET['filename'];
header('Content-Description: File Transfer');
header("Content-type: application/octet-stream");
header("Content-disposition: attachment; filename=".basename($file));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header("Content-Length: " . filesize($file));
ob_clean();
flush();
readfile($file);
?>
======================================================================
======================== Tested on Demos ============================
http:
http:
http:
http:
http:
http:
http:
=======================================================================
========================= Exploitation ====================
http:
=======================================================================
اخى الكريم , قبل اضافة التعليق تذكر قول الله تعالى "ما يلفظ من قول الا لديه رقيب عتيد"