Message-ID: <8f6a58a30511160744t2c6191eajd2b0de65892a3a27@mail.gmail.com>
Date: Wed Nov 16 15:44:36 2005
From: slythers at gmail.com (peter MC tachatte)
Subject: mambo remote code sexecution

a vulnerability exist in globals.php when register_globals is off and allow
remote code inclusion
 this a GLOBALS overwrite
 in components/com_content/content.html.php
there is the line:
require_once( $GLOBALS['mosConfig_absolute_path'] .
'/includes/HTML_toolbar.php' );

ok

da globals.php:
if (!ini_get('register_globals')) {
while(list($key,$value)=each($_FILES)) $GLOBALS[$key]=$value;
while(list($key,$value)=each($_ENV)) $GLOBALS[$key]=$value;
while(list($key,$value)=each($_GET)) $GLOBALS[$key]=$value;
while(list($key,$value)=each($_POST)) $GLOBALS[$key]=$value;
while(list($key,$value)=each($_COOKIE)) $GLOBALS[$key]=$value;
while(list($key,$value)=each($_SERVER)) $GLOBALS[$key]=$value;
while(list($key,$value)=@...h($_SESSION)) $GLOBALS[$key]=$value;
foreach($_FILES as $key => $value){
$GLOBALS[$key]=$_FILES[$key]['tmp_name'];
foreach($value as $ext => $value2){
$key2 = $key . '_' . $ext;
$GLOBALS[$key2] = $value2;
}
}
}

da fake protect in mambo.php:

if (in_array( 'globals', array_keys( array_change_key_case( $_REQUEST,
CASE_LOWER ) ) ) ) {
die( 'Fatal error. Global variable hack attempted.' );
}
if (in_array( '_post', array_keys( array_change_key_case( $_REQUEST,
CASE_LOWER ) ) ) ) {
die( 'Fatal error. Post variable hack attempted.' );
}
 poc: http://enviede.wistee-heb.fr/index.php?cat=poc
 slythers@...il.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051116/8a2e96f3/attachment.html

Powered by blists - more mailing lists