Lucene search

HistoryAug 30, 2011 - 12:00 a.m.

JCE Joomla Extension <=2.0.10 Multiple Vulnerabilities



AmnPardaz Security Research Team

Title: JCE Joomla Extension <=2.0.10 Multiple Vulnerabilities


Exploit: Available

Vulnerable Version: 2.0.10 (Image Manager, Media Manager, Template Manager 1.5.5, File Manager & prior versions
also may be affected)

Impact: High

Original Advisory:

Fix: N/A



  1. Description:

    JCE is an extension for Joomla!, that provides you with a set of
    wysiwyg editor tools that makes the job of writing articles for your
    Joomla! site a little bit easier.
    In a nutshell, it provides access to many of the features you may
    be used to using in Word or OpenOffice etc.

2. Vulnerabilities:

 2.1. Path Traversal Flaws. Path Traversal in &quot;Image Manager&quot;, 

"Media Manager", "Template Manager" and "File Manager" section.
2.1.1. Exploit:
Check the exploit/POC section.

 2.2. Path Manipulation Flaws. Path Manipulation in &quot;Image Manager&quot;, 

"Media Manager", "Template Manager", "File Manager" section. Attackers
can delete any file or upload files to all the directories of the server.
2.2.1. Exploit:
Check the exploit/POC section.

 2.3. Unsafe function Flaws. Attackers can use unsafe function 

called "folderRename" for changing Image type extension (.jpg, .gif,
png & etc.) to any extension like .htaccess or .php in "Image Manager",
"Media Manager", "Template Manager" and "File Manager" section.
2.3.1. Exploit:
Check the exploit/POC section.

3. Exploits/PoCs:

Original Exploit URL:

 3.1. Path Traversal Flaws. Path Traversal in &quot;Image Manager&quot;, 

"Media Manager", "Template Manager" and "File Manager" section.
Path Traversal and see all directories:
Step 1 ±-> Click on root (left bar)
Step 2 ±-> Use Proxy (like burp) for changing path:




 3.2. Path Manipulation Flaws. Path Manipulation in &quot;Image Manager&quot;, 

"Media Manager", "Template Manager", "File Manager" section. Attackers
can delete any file or upload files to all the directories of the server.
For uploading file:
Step 1 ±-> Upload a file with image type extension like azizi.jpg
Step 2 ±-> Click on root (left bar)
Step 3 ±-> Use Proxy (like burp) and change "json" parameter
to json={"fn":"fileCopy","args":["/azizi.jpg","…/…/"]}

     Now azizi.jpg copied to root directory.

     For deleting file:
     Step 1 +--&gt; Click on root &#40;left bar&#41;
     Step 2 +--&gt; Use Proxy &#40;like burp&#41; and change &quot;json&quot; parameter 

to json={"fn":"fileDelete","args":"…/…/index.php"}

     Now index.php has been deleted.

 3.3. Unsafe function Flaws. Attackers can use unsafe function for 

changing Image type extension (.jpg, .gif, .png & etc.) to any extension
like .htaccess or .php in "Image Manager", "Media Manager", "Template
Manager" and "File Manager" section.
For uploading file with executable extension:
Step 1 ±-> Upload a file with image type extension like azizi.jpg
Step 2 ±-> Click on root (left bar)
Step 3 ±-> Use Proxy (like burp) and change "json" p

4. Solution:

 Restricting and granting only trusted users having access to 

resources and wait for vender patch.

5. Credit:
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir