[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <1156188236.3973.0.camel@server.groot.local>
Date: Mon, 21 Aug 2006 21:23:56 +0200
From: Jan de Groot <jan@....homeip.net>
To: bugtraq@...urityfocus.com
Subject: Re: Mambo Component - Display MOSBot Manager Remote File Inclusion
Vuln
On Sun, 2006-08-20 at 01:55 +0000, Outlaw@...a-security.net wrote:
> ###########################################################################################
> # Aria-Security.net Advisory #
> # Discovered by: O.U.T.L.A.W #
>
> # < www.Aria-security.net > #
> # Gr33t to: A.U.R.A & Hessam-X & Cl0wn & DrtRp #
> # #
> ###########################################################################################
>
>
> #Software: Mambo Components ContXTD
> #Attack method: Remote File Inclusion
> #Source:
>
> ** ensure this file is being included by a parent file */
> defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );
>
> include_once( $mosConfig_absolute_path .'/includes/vcard.class.php' );
The "defined( '_VALID_MOS' ) or die" you quoted is there to prevent
this. You can't define that constant from POST or GET.
Powered by blists - more mailing lists