漏洞描述
Detects full path disclosure in Joomla! sending requests to specific paths and identifying fatal error stack traces that leaked absolute filesystem paths.
joomla-fpd: Joomla! - Full Path Disclosure
PoC代码[已公开]
id: joomla-fpd
info:
name: Joomla! - Full Path Disclosure
author: pussycat0x
severity: low
description: |
Detects full path disclosure in Joomla! sending requests to specific paths and identifying fatal error stack traces that leaked absolute filesystem paths.
reference:
- https://developer.joomla.org/security-centre/884-20220801-core-multiple-full-path-disclosures-because-of-missing-jexec-or-die-check.html
metadata:
verified: true
shodan-query: http.component:"joomla"
tags: joomla,misconfiguration,fpd,disclosure
http:
- method: GET
path:
- "{{BaseURL}}/libraries/php-inputfilter/inputfilter.php"
- "{{BaseURL}}/libraries/php-fileupload/fileupload.php"
- "{{BaseURL}}/libraries/joomla/filesystem/archive/archive.php"
- "{{BaseURL}}/libraries/joomla/filesystem/archive/tar.php"
- "{{BaseURL}}/libraries/joomla/filesystem/archive/zip.php"
- "{{BaseURL}}/libraries/phpmailer/phpmailer.php"
- "{{BaseURL}}/libraries/phputf8/utils/bad.php"
- "{{BaseURL}}/libraries/phputf8/utils/unicode.php"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "(?i)in\\s+/.*\\.php\\s+on\\s+line\\s+\\d+"
- "(?i)fatal\\s+error"
- "(?i)warning"
- "(?i)notice"
condition: or
- type: status
status:
- 200
- type: regex
part: body
regex:
- "(/[^\\s:]+/joomla[^\\s:]*)"
- "(/[^\\s:]+/libraries[^\\s:]*)"
# digest: 490a0046304402202e0a443424e6c96bb7abeb6844952629a358afcfbeb895f82003195bff254b85022070aaa15a0ba237194217140bc016509fd69d171c5a6ccee1b71b81bb56560d93:922c64590222798bb761d5b6d8e72950