Joomla! Convert Forms扩展安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1124969 漏洞类型 命令注入
发布时间 2018-04-12 更新时间 2019-10-23
CVE编号 CVE-2018-10063 CNNVD-ID CNNVD-201804-600
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/44447
https://cxsecurity.com/issue/WLB-2018040100
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201804-600
|漏洞详情
Joomla!是美国Open Source Matters开发团队开发的一套开源的内容管理系统(CMS),它提供RSS馈送、网站搜索等功能。Extension Convert Forms是使用在其中的一个表单生成插件。 Joomla Extension Convert Forms 2.0.4版本中存在命令注入漏洞。远程攻击者可借助特制的文件利用该漏洞执行命令。
|漏洞EXP
# Exploit Title: Joomla Extension Convert Forms version 2.0.3 is vulnerable to Formula Injection (CSV Injection)
# Google Dork: N/A
# Date: 12-04-2018
################################
# Exploit Author: Jetty Sairam
################################
# Software Link: https://extensions.joomla.org/extensions/extension/contacts-and-feedback/forms/convert-forms/
# Affected Version: 2.03 and before
#Category: Plugins and Extensions
# Tested on: WiN7_x64
# CVE : CVE-2018-10063

1. Application Description:
Convert Forms provides a framework to build custom forms for Joomla users.
2. Technical Description:
Custom Forms version 2.0.3 is affected by the vulnerability Remote Command Execution using CSV Injection. This allows a public user to inject commands as a part of form fields and when a user with higher privilege exports the form data in CSV opens the file on their machine, the command is executed.
3. Proof Of Concept:
Enter the payload @SUM(1+1)*cmd|' /C calc'!A0 in the form fields and submit.
When high privileged user logs into the application to export form data in CSV and opens the file.
Formula gets executed and calculator will get popped in his machine.
4. Solution:
Upgrade to version 2.0.4
https://extensions.joomla.org/extensions/extension/contacts-and-feedback/forms/convert-forms/
5. Reference:
https://vel.joomla.org/resolved/2160-convert-forms-2-0-3-csv-injection
https://www.tassos.gr/blog/convert-forms-2-0-4-security-release
https://vel.joomla.org/articles/2140-introducing-csv-injection
|参考资料

来源:www.tassos.gr
链接:https://www.tassos.gr/blog/convert-forms-2-0-4-security-release