Pentesting help

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
juantovar
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Wed Feb 25, 2015 3:52 pm

Pentesting help

Post by juantovar » Wed Feb 25, 2015 4:15 pm

The school i study at is running joomla 1.5.26. Since we were studying IT security, i decided to do a pentest to the institute site. They gave me a copy of the image they are running with database included and all. I set up a localhost, installed joomla, databases, everything.
I then scanned it with joomscan getting these vulnerabilities

Code: Select all

Info -> Generic: htaccess.txt has not been renamed.
Versions Affected: Any
Check: http://localhost/joomla/htaccess.txt 
Exploit:
Generic defenses implemented in .htaccess are not available, so exploiting is more likely to succeed.
Vulnerable? Yes

Info -> Core: Admin Backend Cross Site Request Forgery Vulnerability
Versions effected: 1.0.13 <=
Check: http://localhost/joomla/administrator/ 
Exploit:
It requires an administrator to be logged in and to be tricked into a specially crafted webpage.
Vulnerable? Yes

Info -> CorePlugin: TinyMCE TinyBrowser addon multiple vulnerabilities
Versions effected: Joomla! 1.5.12
Check: http://localhost/joomla/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/ 
Exploit:
While Joomla! team announced only File Upload vulnerability, in fact there are many. See: http://www.milw0rm.com/exploits/9296
Vulnerable? Yes

Info -> CoreComponent: com_mailto timeout Vulnerability
Versions effected: 1.5.13 <=
Check: http://localhost/joomla/components/com_mailto/ 
Exploit:
[Requires a valid user account] In com_mailto, it was possible to bypass timeout protection against sending automated emails.
Vulnerable? Yes
I have been googling and googling looking on how to exploit these vulnerabilities,specially the htaccess and the tinyMCE one, but i have been unsuccessful with all the ones i've tried.
I need help to finish this task, I am therefore setting up a free web page in order for someone to hack it and give me the steps to replicate it so i can show the school that their web page is vulnerable.
Top
User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 17423
Joined: Thu Feb 15, 2007 5:48 am
Location: Sydney, Australia

Re: Pentesting help

Post by toivo » Wed Feb 25, 2015 5:23 pm

Info -> Generic: htaccess.txt has not been renamed.
Only people who do not read any instructions would have this problem if they do not rename this file to .htaccess.
Info -> CorePlugin: TinyMCE TinyBrowser addon multiple vulnerabilities
Versions effected: Joomla! 1.5.12
Your version is later than 1.5.12 and the problem has been fixed: http://developer.joomla.org/security/ne ... pload.html
Info -> CoreComponent: com_mailto timeout Vulnerability
Versions effected: 1.5.13 <=
As above, if your site is already at 1.5.26, this vulnerability has been fixed.

Your extension seems to ignore the version of the components and plugins when it reports vulnerabilities. If having a folder called administrator makes it report a vulnerability from Joomla 1.0.13, the results can be misleading, even considering that Joomla 1.5 and its extensions are obsolete.

Is the motivation of the school to use an obsolete version only to teach the students security by getting the site hacked? Hopefully the site is internal and does not contain any real student data.
Toivo Talikka, Global Moderator
Top
User avatar
pe7er
Joomla! Master
Joomla! Master
Posts: 24974
Joined: Thu Aug 18, 2005 8:55 pm
Location: Nijmegen, Netherlands
Contact:
Contact pe7er

Re: Pentesting help

Post by pe7er » Wed Feb 25, 2015 5:31 pm

toivo wrote:As above, if your site is already at 1.5.26, this vulnerability has been fixed.
To add to Tovio's analysis: Do not forget to install the 1.5.26 security fix,
see http://joomlacode.org/gf/project/joomla ... m_id=31626
Kind Regards,
Peter Martin, Global Moderator
Company website: https://db8.nl/en/ - Joomla specialist, Nijmegen, Netherlands
The best website: https://the-best-website.com
Top
juantovar
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Wed Feb 25, 2015 3:52 pm

Re: Pentesting help

Post by juantovar » Wed Feb 25, 2015 5:42 pm

Thank you both for replying
Is the motivation of the school to use an obsolete version only to teach the students security by getting the site hacked?
The site administrator told me he hasn't updated because it is too much trouble and he hasn't found the time to do it... The web page basically contains school calendars, general info of the school, and some other documents concerning how to write your thesis, etc.

Grades are not there and other important student info are not there, that service is outsourced
Top
User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15152
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Pentesting help

Post by mandville » Wed Feb 25, 2015 5:53 pm

Personally I would sack your site administrator. Have they not found time in the last 2years ? bet they have the latest phone tv computer etc
Joomla! 1.5 EOL (End of Life) notice - Sept 2012. All security patches have ceased.
If you are still using Joomla! 1.5, please upgrade your Joomla! version ASAP your website may be at risk
Your installed extensions may be a security risk
See What version of Joomla! should you use?
The recommended Joomla! CMS version is now 3.x
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Top
Locked

Return to “Security in Joomla! 1.5”