cbcvebase.
CVE-2015-4075
published 2017-09-20

CVE-2015-4075: The Helpdesk Pro plugin before 1.4.0 for Joomla! allows remote attackers to write to arbitrary .ini files via a crafted language.save task.

PriorityP261high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
7.38%
93.6th percentile
The Helpdesk Pro plugin before 1.4.0 for Joomla! allows remote attackers to write to arbitrary .ini files via a crafted language.save task.

Affected

1 ranges
VendorProductVersion rangeFixed in
helpdeskprohelpdesk_pro<= 1.3.0

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://{url}/index.php?option=com_helpdeskpro&task=language.save
commandlang=&item=./../../../../../../etc/php5/apache2/php&keys[]=[PHP];&[PHP];=val%0aAnyData%0a;
path/etc/php5/apache2/php.ini
  • Detect POST requests to the Joomla Helpdesk Pro component with the task parameter set to 'language.save', which is the attack vector for arbitrary .ini file write.
  • Inspect the 'item' POST parameter for path traversal sequences (e.g., '../../') in requests to com_helpdeskpro, indicating an attempt to write .ini files outside the web root.
  • The vulnerability is unauthenticated — no session or authentication token is required to trigger the language.save task. Monitor for unauthenticated POST requests to this endpoint.
  • Alert on unexpected creation or modification of .ini files (especially php.ini) in system directories by the web server process, which may indicate successful exploitation.
  • ·Code execution via .ini file overwrite is only achievable on poorly configured systems where sensitive .ini files (e.g., php.ini) are writable by the web server process. Most hardened systems will not be susceptible to the code execution follow-on.
  • ·The impact of exploitation varies per target file — any non-protected .ini file writable by the web server is at risk of being overwritten, not just php.ini.
  • ·All versions of Helpdesk Pro prior to 1.4.0 are suspected vulnerable, though only version 1.3.0 was officially tested and verified by the researchers.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.