Joomla! / Mambo Remository Component Arbitrary File Upload Vulnerability

SECUNIA ADVISORY ID:
SA41161

VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/41161/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=41161

RELEASE DATE:
2010-08-27
DESCRIPTION:
A vulnerability has been discovered in the Remository component for
Joomla! / Mambo, which can be exploited by malicious users to
compromise a vulnerable system.

The vulnerability is caused due to an error in application when
uploading thumbnails, which allows uploading of files with arbitrary
extensions to a folder inside the webroot. This can be exploited to
e.g. execute arbitrary PHP code by uploading a PHP file.

NOTE: The stored file name is based on the original file name and a
time stamp, which is predictable.

The vulnerability is confirmed in version 3.53.5J on Joomla!. Other
versions may also be affected.

SOLUTION:
Restrict access to the "components/com_remository_files" directory
(e.g. via .htaccess).

PROVIDED AND/OR DISCOVERED BY:
J3yk0ob