I have the latest joomla (3.73) and the latest fabrik (3.6). The fabrik install is updated via the standard joomla update system.
I have just had a couple of files written into the web root dir by looks like a POST call to the plugin.pluginAjax plugin.
Below are the web logs of the actual put and one entry before of what looks like to be the test to see if 'they' can PUT.
Looks like the POST wrote an 'index.html' and 'ssiwebshell.shtml' file into the web root. The file dates perfectly match with the POST. Nothing else as far as I can tell.
In the logs I can see that the 'script kiddy' script tested for many different web apps and files obviously got a hit with that fabric plugin.
Have I come accross an vulnerability with fabrik or would it be something else that allowed these files to be uploaded?
I have just had a couple of files written into the web root dir by looks like a POST call to the plugin.pluginAjax plugin.
Below are the web logs of the actual put and one entry before of what looks like to be the test to see if 'they' can PUT.
Code:
114.125.202.218 - - [06/Jul/2017:03:51:06 +1000] "GET /favicon.ico HTTP/1.1" 404 628 "https://www.dmcc.com.au/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
114.125.202.218 - - [06/Jul/2017:03:51:14 +1000] "POST /index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload HTTP/1.1" 200 1002 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
Looks like the POST wrote an 'index.html' and 'ssiwebshell.shtml' file into the web root. The file dates perfectly match with the POST. Nothing else as far as I can tell.
In the logs I can see that the 'script kiddy' script tested for many different web apps and files obviously got a hit with that fabric plugin.
Have I come accross an vulnerability with fabrik or would it be something else that allowed these files to be uploaded?