Joomla! Fabrik Component 'importcsv.php' Arbitrary File Upload Vulnerability

Bugtraq ID:	50823
Class:	Input Validation Error
CVE:	CVE-2011-5004
Remote:	Yes
Local:	No
Published:	Nov 28 2011 12:00AM
Updated:	Jan 03 2012 10:00PM
Credit:	Ismail Kaleem
Vulnerable:	Joomla Fabrik 2.1 Joomla Fabrik 2.0
Not Vulnerable:	Joomla Fabrik 2.1.1

Joomla! Fabrik Component 'importcsv.php' Arbitrary File Upload Vulnerability

Fabrik component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input.

An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.

Fabrik 2.1 is vulnerable; prior versions may also be affected.

Joomla! Fabrik Component 'importcsv.php' Arbitrary File Upload Vulnerability

Attackers can exploit this issue through a browser.

Joomla! Fabrik Component 'importcsv.php' Arbitrary File Upload Vulnerability

Solution:
Updates are available. Please see the reference for more details.

Joomla! Fabrik Component 'importcsv.php' Arbitrary File Upload Vulnerability

References:

• Fabrik Commit Details (Fabrik)
  
• Fabrik Homepage (Fabrik)
  
• Joomla! Homepage (Joomla )
  
• Joomla com_fabrik - Remote File Upload Vulnerability (Vulnerability-Lab)