Joomla! Core Design Scriptegrator Plugin Two File Inclusion Vulnerabilities

SECUNIA ADVISORY ID:
SA44883

VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/44883/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=44883

RELEASE DATE:
2011-06-14

DESCRIPTION:
Two vulnerabilities have been discovered in the Core Design
Scriptegrator plugin for Joomla!, which can be exploited by malicious
people to disclose sensitive information.

1) Input passed to the "files[]" parameter in
plugins/system/cdscriptegrator/libraries/highslide/css/cssloader.php
is not properly verified before being used to include files. This can
be exploited to include arbitrary files from local resources via
directory traversal attacks and URL-encoded NULL bytes.

2) Input passed to the "file" parameter in
plugins/system/cdscriptegrator/libraries/jquery/theme/cssloader.php
is not properly verified before being used to include files. This can
be exploited to include arbitrary files from local resources via
directory traversal attacks and URL-encoded NULL bytes.

Successful exploitation requires that "magic_quotes_gpc" is
disabled.

The vulnerabilities are confirmed in version 1.5.5. Other versions
may also be affected.

SOLUTION:
Edit the source code to ensure that input is properly verified.

PROVIDED AND/OR DISCOVERED BY:
jdc