Understanding Joomla Component com_bfsurvey Local File Inclusion

What this paper is

This paper describes a Local File Inclusion (LFI) vulnerability in a specific Joomla component called com_bfsurvey. An LFI vulnerability allows an attacker to trick a web application into including and executing files from the server's local filesystem that it shouldn't have access to. In this case, the vulnerability is in how the com_bfsurvey component handles user-supplied input, allowing an attacker to specify arbitrary file paths.

Simple technical breakdown

The vulnerability lies in the way the com_bfsurvey component processes a parameter in its URL. When a user visits a page that uses this component, they can provide a value for a parameter that the component uses to load other files. If this parameter is not properly sanitized, an attacker can provide a path to a sensitive file on the server (like configuration files or system files) and trick the web server into displaying its contents or even executing it.

Complete code and payload walkthrough

The provided "code" is not actual executable code in the traditional sense, but rather a description of the vulnerable URL structure and a "dork" for searching.

• @~~=======================================~~@: These lines are purely decorative and used for formatting within the original exploit text. They have no functional purpose.
• @~~=Script : Joomla Component com_bfsurvey: Identifies the vulnerable software component.
• @~~=Author : FL0RiX: Credits the discoverer of the vulnerability.
• @~~=HomePage: www.oltan.org: Provides the author's website.
• @~~=Greez : Deep-Power ,Pyske,Wretch-x & All Friends: Acknowledges individuals or groups. This is common in exploit releases.
• @~~=Bug Type : Local File Inlusion(LFI): Clearly states the type of vulnerability.
• @~~=Dork : inurl:"com_bfsurvey": This is a Google search query (a "dork") that helps find websites running the vulnerable component. inurl: restricts the search to URLs containing the specified string.
• @~~=======================================~~@: Again, decorative formatting.
• @~~=Vuln: Short for "Vulnerability".
• : http://site/ [Yol] /index.php?option=com_bfsurvey&controller= [-LFI-]: This line describes the vulnerable URL pattern.
  • http://site/: Represents the base URL of the target Joomla website.
  • [Yol]: This is an unknown placeholder. It's unclear from the provided text what [Yol] is intended to represent. It might be a directory path or another parameter, but its exact meaning is not specified.
  • /index.php: The main entry point for Joomla.
  • ?option=com_bfsurvey: Specifies that the com_bfsurvey component should be loaded.
  • &controller=: This is where the LFI occurs. The vulnerability likely lies in how the component handles the value passed to the controller parameter. An attacker would append a path to a file here, often using directory traversal sequences like ../../.

Mapping list:

• @~~=... lines: Decorative formatting.
• @~~=Script : Joomla Component com_bfsurvey: Identifies the vulnerable component.
• @~~=Author : FL0RiX: Author attribution.
• @~~=HomePage: www.oltan.org: Author's website.
• @~~=Greez : ...: Acknowledgements.
• @~~=Bug Type : Local File Inlusion(LFI): Vulnerability type.
• @~~=Dork : inurl:"com_bfsurvey": Search query for finding vulnerable sites.
• http://site/ [Yol] /index.php?option=com_bfsurvey&controller= [-LFI-]: The vulnerable URL structure. [-LFI-] indicates the point where the attacker injects the file path.

Shellcode/Payload:

There is no executable shellcode or payload provided in this paper. The exploit is purely based on manipulating URL parameters to achieve Local File Inclusion. The "payload" in this context is the content of the file that the attacker wishes to retrieve or execute.

Practical details for offensive operations teams

• Required Access Level: Typically, no specific elevated access is required beyond being able to send HTTP requests to the target web server. This is a remote, unauthenticated vulnerability.
• Lab Preconditions:
  • A running Joomla instance with the com_bfsurvey component installed.
  • Knowledge of the Joomla installation path on the server.
  • A target web server accessible via HTTP/HTTPS.
  • A vulnerable version of com_bfsurvey (versions prior to a patch, which is not specified in the paper).
• Tooling Assumptions:
  • Web browser for manual testing.
  • HTTP proxy (e.g., Burp Suite, OWASP ZAP) for intercepting and modifying requests.
  • Scripting language (e.g., Python, PHP) for automated scanning and exploitation.
  • A tool like wfuzz or dirb could be adapted to fuzz the controller parameter.
• Execution Pitfalls:
  • Incorrect Path: The attacker needs to guess or know the server's file structure to correctly traverse to the desired file (e.g., ../../../../configuration.php).
  • Web Server Configuration: Some web server configurations might prevent LFI by disallowing directory traversal or by sanitizing input more aggressively.
  • Component Version: The vulnerability is specific to a particular version of com_bfsurvey. Newer versions may have patched this.
  • [Yol] Placeholder: The exact meaning of [Yol] is unknown. If it's a required parameter or directory, it could complicate exploitation.
  • File Permissions: The web server process must have read permissions for the target file.
  • Output Filtering: The web application might filter or sanitize the output of the included file, making it difficult to read sensitive information.

Where this was used and when

• Context: This vulnerability was likely used by attackers to gain unauthorized access to sensitive information on Joomla websites running the com_bfsurvey component. This could include database credentials, configuration settings, or other sensitive data.
• Approximate Years/Dates: The paper was published on 2010-01-03. Therefore, exploitation would have occurred around this time and potentially in the years immediately following, until the component was patched or websites were updated.

Defensive lessons for modern teams

• Input Validation is Crucial: Always validate and sanitize all user-supplied input, especially when it's used in file paths, database queries, or system commands.
• Principle of Least Privilege: Ensure that web server processes run with the minimum necessary permissions. They should not be able to read sensitive system files.
• Regular Patching and Updates: Keep all software, including CMS platforms (like Joomla) and their extensions/components, up-to-date with the latest security patches.
• Web Application Firewalls (WAFs): Deploy and configure WAFs to detect and block common web attack patterns, including directory traversal attempts.
• Security Audits and Code Reviews: Regularly audit custom code and third-party components for security vulnerabilities.

ASCII visual (if applicable)

This vulnerability is primarily about manipulating URL parameters. An ASCII visual can illustrate the flow of a request:

+-----------------+       +-----------------+       +-------------------+
| Attacker's      | ----> | Web Server      | ----> | Joomla Component  |
| Browser/Tool    |       | (Receives Req)  |       | com_bfsurvey      |
+-----------------+       +-----------------+       +-------------------+
        |                                                     |
        | Injecting LFI payload                               | Processes
        | (e.g., ?controller=../../../../etc/passwd)          | parameter
        |                                                     |
        v                                                     v
+-----------------+       +-----------------+       +-------------------+
| Malicious URL   | ----> | Request Handler | ----> | File Inclusion    |
| (e.g., http://...) |       | (Joomla Core)   |       | Logic (Vulnerable)|
+-----------------+       +-----------------+       +-------------------+
                                                              |
                                                              v
                                                      +-------------------+
                                                      | Server File       |
                                                      | (e.g., passwd)    |
                                                      +-------------------+
                                                              |
                                                              v
                                                      +-------------------+
                                                      | Server Response   |
                                                      | (File Content)    |
                                                      +-------------------+

Explanation:

1. The attacker crafts a malicious URL.
2. The web server receives the request.
3. Joomla's core request handler processes the URL, identifying com_bfsurvey as the target component.
4. The com_bfsurvey component, due to its vulnerability, takes the controller parameter value and uses it to attempt to include a file from the server's filesystem.
5. If successful, the content of the requested server file is returned in the web server's response.

Source references

• Paper ID: 10946
• Paper Title: Joomla! Component com_bfsurvey - Local File Inclusion
• Author: FL0RiX
• Published: 2010-01-03
• Paper URL: https://www.exploit-db.com/papers/10946
• Raw URL: https://www.exploit-db.com/raw/10946

Original Exploit-DB Content (Verbatim)

@~~=======================================~~@
@~~=Script   : Joomla Component com_bfsurvey

@~~=Author   : FL0RiX

@~~=HomePage: www.oltan.org

@~~=Greez  : Deep-Power ,Pyske,Wretch-x & All Friends

@~~=Bug Type : Local File Inlusion(LFI)

@~~=Dork : inurl:"com_bfsurvey"

@~~=======================================~~@

@~~=Vuln

: http://site/ [Yol] /index.php?option=com_bfsurvey&controller= [-LFI-]