JomSocial 1.8.8 - Arbitrary File Upload

Author: Jeff Channell
type: webapps
platform: php
port: 
date_added: 2010-09-30 
date_updated: 2015-07-12 
verified: 0 
codes: OSVDB-68600 
tags: 
aliases:  
screenshot_url:  
application_url: 

There is a file upload vulnerability in version 1.8.8 and earlier of
JomSocial, the popular community extension for Joomla!.

Successful exploitation of this exploit requires the site to be
configured to allow users to upload video files directly, which is
disabled by default. If this feature is enabled, any file uploaded via
the "add video" upload form will end up in
http://[victim]/images/originalvideos/[your account's user id]/[unique
file name]. This folder is not protected with an index, so if indexes
are allowed retrieving the shell's filename is trivial.

Listed on the JomSocial Changelog as "BUG: 4495"
<http://www.jomsocial.com/docs/Change_Log#Version_1.8.9>

Timeline

     * Vulnerabilities Discovered: 26 September 2010
     * Vendor Notified: 27 September 2010
     * Vendor Response: 27 September 2010
     * Update Available: 28 September 2010
     * Disclosure: 30 September 2010

http://jeffchannell.com/Joomla/jomsocial-188-shell-upload-vulnerability.html