漏洞概要

漏洞标题:
Joomla Convert Forms version 2.0.3 – Formula Injection (CSV Injection)

提交时间:
2018-04-12

危害等级:

相关厂商:

漏洞分类:
exp公布

关注度:
共 8 人关注

漏洞详情

EDB-ID: 44447 Author: Sairam Jetty Published: 2018-04-12
CVE:
CVE-2018-10063
Type: Webapps Platform: PHP

E-DB Verified:
<a href="javascript:void(0);" data-trigger="focus" data-toggle="popover" data-placement="top" data-content='We make an effort to verify exploits (verifty) in our labs, when possible. A “non verified” exploit (marked by a clock icon clock) simply means we did not have the opportunity to test the exploit internally.’>
Waiting verification

Exploit:

Download Exploit Code Download

/

View Raw

Vulnerable App:
N/A
# Exploit Title: Joomla Extension Convert Forms version 2.0.3 -  Formula Injection (CSV Injection)
# Google Dork: N/A
# Date: 12-04-2018
################################
# Exploit Author: Jetty Sairam
################################
# Software Link: https://extensions.joomla.org/extensions/extension/contacts-and-feedback/forms/convert-forms/
# Affected Version: 2.03 and before
#Category: Plugins and Extensions
# Tested on: WiN7_x64
# CVE : CVE-2018-10063

1. Application Description:
 Convert Forms provides a framework to build custom forms for Joomla users.

2. Technical Description:
Custom Forms version 2.0.3 is affected by the vulnerability Remote Command Execution using CSV Injection. This allows a public user to inject commands as a part of form fields and when a user with higher privilege exports the form data in CSV opens the file on their machine, the command is executed.

3. Proof Of Concept:
Enter the payload @SUM(1+1)*cmd|' /C calc'!A0 in the form fields and submit.
When high privileged user logs into the application to export form data in CSV and opens the file.
Formula gets executed and calculator will get popped in his machine.

4. Solution:
Upgrade to version 2.0.4
https://extensions.joomla.org/extensions/extension/contacts-and-feedback/forms/convert-forms/

5. Reference:
https://www.tassos.gr/blog/convert-forms-2-0-4-security-release
https://vel.joomla.org/articles/2140-introducing-csv-injection

发表评论

电子邮件地址不会被公开。 必填项已用*标注