Attack Chain

1. An unauthenticated attacker identifies a Joomla com_fabrik installation running version 3.9.11.
2. The attacker crafts a GET request targeting the /index.php endpoint with the option=com_fabrik and task=plugin.pluginAjax parameters.
3. The request includes plugin=fileupload and method=onAjax_files to target the vulnerable method.
4. The attacker injects path traversal sequences (e.g., ../../../../) within the folder parameter of the GET request.
5. The server-side application (com_fabrik) processes the request without proper sanitization of the folder parameter.
6. The application interprets the path traversal sequences, allowing access to directories outside the intended web root.
7. The attacker receives a response containing a list of files and directories within the traversed path.
8. The attacker can repeat this process to map out the file system and identify sensitive files.

Impact

Successful exploitation of this vulnerability allows unauthenticated attackers to list arbitrary files on the affected system. This information disclosure can lead to the exposure of sensitive configuration files, database credentials, or other confidential data. The CVSS v3.1 score of 7.5 indicates a high severity due to the potential for unauthorized access to sensitive information.

Recommendation

• Upgrade com_fabrik to a version that addresses CVE-2020-37219.
• Implement input validation and sanitization on the folder parameter within the onAjax_files method to prevent path traversal attacks.
• Deploy the Sigma rule Detect Joomla com_fabrik Directory Traversal Attempt to identify potential exploitation attempts in web server logs.
• Monitor web server access logs for suspicious GET requests to index.php with the com_fabrik, plugin=fileupload, and method=onAjax_files parameters, particularly those containing path traversal sequences in the folder parameter.
• Implement web application firewall (WAF) rules to block requests containing path traversal sequences targeting the onAjax_files method.