CVE-2013-5576
published 2013-10-09CVE-2013-5576: administrator/components/com_media/helpers/media.php in the media manager in Joomla! 2.5.x before 2.5.14 and 3.x before 3.1.5 allows remote authenticated users…
PriorityP277medium6.8CVSS 2.0
AVNACMAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
48.19%
98.7th percentile
administrator/components/com_media/helpers/media.php in the media manager in Joomla! 2.5.x before 2.5.14 and 3.x before 3.1.5 allows remote authenticated users or remote attackers to bypass intended access restrictions and upload files with dangerous extensions via a filename with a trailing . (dot), as exploited in the wild in August 2013.
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/index.php?option=com_media&view=images&tmpl=component&e_name=jform_articletext&asset=com_content&author=↗
- →Detect file upload requests to the Joomla Media Manager endpoint (com_media) where the uploaded filename contains a trailing dot (e.g., 'shell.php.') to bypass extension filtering. ↗
- →Alert on HTTP GET requests to /images/<filename>.php shortly after a POST to the com_media upload endpoint, indicating successful webshell upload and execution attempt. ↗
- →Check web server logs for the presence of PHP files created under the Joomla /images/ directory, which is not a normal location for PHP scripts. ↗
- →Detect the Joomla Media Manager access check bypass: look for HTTP 200 responses to com_media requests that do NOT contain 'You are not authorised to view this resource', indicating unauthenticated or unauthorized access succeeded. ↗
- ·The vulnerability was exploited in the wild as early as August 2013; affected versions are Joomla 2.5.x up to 2.5.13 and 3.x up to 3.1.4. Patched versions are 2.5.14 and 3.1.5. ↗
- ·The Media Manager component is installed by default in Joomla; if public access is not restricted, exploitation requires no authentication. With access controls in place, an Editor role or higher is sufficient for exploitation. ↗
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-57fx-rj36-27v4: administrator/components/com_media/helpers/media
ghsa_unreviewed·2022-05-17
CVE-2013-5576 [MEDIUM] CWE-20 GHSA-57fx-rj36-27v4: administrator/components/com_media/helpers/media
administrator/components/com_media/helpers/media.php in the media manager in Joomla! 2.5.x before 2.5.14 and 3.x before 3.1.5 allows remote authenticated users or remote attackers to bypass intended access restrictions and upload files with dangerous extensions via a filename with a trailing . (dot), as exploited in the wild in August 2013.
VulnCheck
Joomla! Joomla! Improper Input Validation
vulncheck·2013·CVSS 6.8
CVE-2013-5576 [MEDIUM] Joomla! Joomla! Improper Input Validation
Joomla! Joomla! Improper Input Validation
administrator/components/com_media/helpers/media.php in the media manager in Joomla! 2.5.x before 2.5.14 and 3.x before 3.1.5 allows remote authenticated users or remote attackers to bypass intended access restrictions and upload files with dangerous extensions via a filename with a trailing . (dot), as exploited in the wild in August 2013.
Affected: Joomla! Joomla!
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://nvd.nist.gov/vuln/detail/CVE-2013-5576; https://www.cve.org/CVERecord?id=CVE-2013-5576
No detection rules found.
Exploit-DB
Joomla! Component Media Manager - Arbitrary File Upload (Metasploit)
exploitdb·2013-08-15
CVE-2013-5576 Joomla! Component Media Manager - Arbitrary File Upload (Metasploit)
Joomla! Component Media Manager - Arbitrary File Upload (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "Joomla Media Manager File Upload Vulnerability",
'Description' => %q{
This module exploits a vulnerability found in Joomla 2.5.x up to 2.5.13, as well as
3.x up to 3.1.4 versions. The vulnerability exists in the Media Manager component,
which comes by default in Joomla, allowing arbitrary file uploads, and results in
arbitrary code execution. The module has been tested successfully on Joomla 2.5.13
and 3.1.4 on Ubuntu 10.04.
Metasploit
Joomla Media Manager File Upload Vulnerability
metasploit
Joomla Media Manager File Upload Vulnerability
Joomla Media Manager File Upload Vulnerability
This module exploits a vulnerability found in Joomla 2.5.x up to 2.5.13, as well as 3.x up to 3.1.4 versions. The vulnerability exists in the Media Manager component, which comes by default in Joomla, allowing arbitrary file uploads, and results in arbitrary code execution. The module has been tested successfully on Joomla 2.5.13 and 3.1.4 on Ubuntu 10.04. Note: If public access isn't allowed to the Media Manager, you will need to supply a valid username and password (Editor role or higher) in order to work properly.
No writeups or analysis indexed.
http://developer.joomla.org/security/563-20130801-core-unauthorised-uploads.htmlhttp://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=31626http://seclists.org/oss-sec/2013/q3/484http://seclists.org/oss-sec/2013/q3/486http://www.cso.com.au/article/523528/joomla_patches_file_manager_vulnerability_responsible_hijacked_websites/http://www.exploit-db.com/exploits/27610http://www.kb.cert.org/vuls/id/639620https://github.com/joomla/joomla-cms/commit/1ed07e257a2c0794ba19e864f7c5101e7e8c41d2https://github.com/joomla/joomla-cms/commit/fa5645208eefd70f521cd2e4d53d5378622133d8http://developer.joomla.org/security/563-20130801-core-unauthorised-uploads.htmlhttp://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=31626http://seclists.org/oss-sec/2013/q3/484http://seclists.org/oss-sec/2013/q3/486http://www.cso.com.au/article/523528/joomla_patches_file_manager_vulnerability_responsible_hijacked_websites/http://www.exploit-db.com/exploits/27610http://www.kb.cert.org/vuls/id/639620https://github.com/joomla/joomla-cms/commit/1ed07e257a2c0794ba19e864f7c5101e7e8c41d2https://github.com/joomla/joomla-cms/commit/fa5645208eefd70f521cd2e4d53d5378622133d8
2013-10-09
Published
Exploited in the wild