6.8
CVSSv2

CVE-2013-5576

Published: 09/10/2013 Updated: 01/12/2013
CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6
VMScore: 725
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Summary

administrator/components/com_media/helpers/media.php in the media manager in Joomla! 2.5.x prior to 2.5.14 and 3.x prior to 3.1.5 allows remote authenticated users or remote attackers to bypass intended access restrictions and upload files with dangerous extensions via a filename with a trailing . (dot), as exploited in the wild in August 2013.

Affected Products

Vendor Product Versions
JoomlaJoomla!2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.5.8, 2.5.9, 2.5.10, 2.5.11, 2.5.12, 2.5.13, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4

Exploits

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # Framework web site for more information on licensing and terms of use # metasploitcom/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking ...

Metasploit Modules

Joomla Media Manager File Upload Vulnerability

This module exploits a vulnerability found in Joomla 2.5.x up to 2.5.13, as well as 3.x up to 3.1.4 versions. The vulnerability exists in the Media Manager component, which comes by default in Joomla, allowing arbitrary file uploads, and results in arbitrary code execution. The module has been tested successfully on Joomla 2.5.13 and 3.1.4 on Ubuntu 10.04. Note: If public access isn't allowed to the Media Manager, you will need to supply a valid username and password (Editor role or higher) in order to work properly.

msf > use exploit/unix/webapp/joomla_media_upload_exec
      msf exploit(joomla_media_upload_exec) > show targets
            ...targets...
      msf exploit(joomla_media_upload_exec) > set TARGET <target-id>
      msf exploit(joomla_media_upload_exec) > show options
            ...show and set options...
      msf exploit(joomla_media_upload_exec) > exploit