JE Messenger 1.0 Arbitrary File Upload Vulnerability

 Name              JE Messenger
 Vendor            http://joomlaextensions.co.in
 Versions Affected 1.0

 Author            Salvatore Fresta aka Drosophila
 Website           http://www.salvatorefresta.net
 Contact           salvatorefresta [at] gmail [dot] com
 Date              2010-12-09

X. INDEX

 I.    ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.    FIX
 

I. ABOUT THE APPLICATION
________________________

JE Messenger is a Joomla's component.


II. DESCRIPTION
_______________

A parameter is not properly sanitised before  being used
from the native Joomla's upload function.


III. ANALYSIS
_____________

Summary:

 A) Arbitrary File Upload
 

A) Arbitrary File Upload
________________________

A logic error in the save function  (compose.php)  allows
to a registered user to upload a file with any extension.
The check for a valid file's extension is made  after the
upload and in the failure case, the file doesn't  removed
from the server. This   can   be   exploited  to  execute 
arbitrary PHP code by uploading a PHP file.

The file's name is different after the upload:

$file['name'] = time().'in'.$file['name'];

Example:

Original file's name: shell.php
Uploaded file's name: 1291907399inshell.php

Where  1291907399  is  the  value returns from the time()
function.

The file will be uploaded to the following directory:

$dest = JPATH_ROOT.DS.'components/'.$option.'/assets/images/'.$file['name'];

The default destination is:

http://site/path/components/com_jemessenger/assets/images/


IV. SAMPLE CODE
_______________

A) Arbitrary File Upload

1 - Login to target website's Joomla
2 - Go to http://site/path/index.php?option=com_jemessenger&view=compose
3 - Compile a valid form and select an arbitrary file
4 - Go to http://site/path/components/com_jemessenger/assets/images/filename


Try a little bruteforce to find the value  returned  from
the time() function.


V. FIX
______

No fix.