TUCoPS :: Web :: Apps :: b06-1700.htm

Mambo/Joomla rss component vulnerability
- Mambo/Joomla rss component vulnerability
- Mambo/Joomla rss component vulnerability


KAPDA New advisory

Mambo website : http://www.mamboserver.com 
Bug: Path Disclosure & Remote Denial Of Service
Exploitation: Remote with browser
Exploit: available

Description:
--------------------
Mambo is a feature-rich dynamic portal engine/content
management tool capable of building sites from several
pages to several thousand. Mambo uses PHP/MySQL and
features a very comprehensive admin manager.

Vulnerability:
--------------------
The Script does not properly validate user-supplied
input in rss.php.A remote user can supply a specially
crafted URL to cause the system to display an error
message that discloses the installation Path or force
the script to create Tons of superfluous xml files
which in some cases results in remote DOS attacks
against target.
Lets see Code Snippets:

/components/com_rss/rss.php 

[#73-74]
// get feed type from url
$info[ 'feed' ] = mosGetParam( $_GET, 'feed', 'RSS2.0'
);

[#91-93]
// set filename for rss feeds
$info[ 'file' ] = strtolower( str_replace( '.', '',
$info[ 'feed' ] ) );
$info[ 'file' ] = $mosConfig_absolute_path .'/cache/'.
$info[ 'file' ] .'.xml';

[#244-245]
// save feed file
$rss->saveFeed( $info[ 'feed' ], $info[ 'file' ],
$showFeed );


/includes/feedcreator.class.php       // FeedCreator
class v1.7.2 , originally (c) Kai Blankenhorn
[#681-697]

	function saveFeed($filename="",
$displayContents=true) {
		if ($filename=="") {
			$filename = $this->_generateFilename();
		}
		$feedFile = fopen($filename, "w+");
		if ($feedFile) {
			fputs($feedFile,$this->createFeed());
			fclose($feedFile);
			if ($displayContents) {
				$this->_redirect($filename);
			}
		} else {
			echo "
Error creating feed file, please
check write permissions.
";
		}
	}
=09
}

Demonstration URL:
--------------------
http://example.com/index2.php?option=com_rss&feed=test\/> 
Warning: fopen(path\to\mambo\test\\/>.xml)
[function.fopen]: failed to open stream: No such file
or directory in
path\to\mambo\includes\feedcreator.class.php on line
685

DDOS:
--------------------
Its possible to perform distributed denial of service
attacks against Installed mambo on IIS servers
Specially when php runs as ISAPI module.  
requesting
http://example.com/index2.php?option=com_rss&feed=arbitraryfilenames 
will cause remote script to save arbitrary files in
cache folder And large amount of request will cause
IIS to returen "HTTP 403.9 - Access Forbidden: Too
many users are connected
Internet Information Services" to legitimate users.
Or from php5 as isapi module :
"PHP has encountered an Access Violation at 77F6103A"

Solution:
--------------------
There is no vendor supplied patch for this issue at
this time.
 
Original Advisories:
--------------------
http://www.kapda.ir/advisory-313.html [with 
exploit]
IN Farsi:
http://irannetjob.com/content/view/209/28/ 

Credit :
--------------------
Discovered & released by trueend5 (trueend5 kapda ir)
Security Science Researchers Institute Of Iran
[http://www.KAPDA.ir] 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH