Joomla Rssxt <= 1.0 Remote File Include Vulnerability (update)

CVE	Category	Price	Severity
CVE-2011-3250	CWE-22	$500	High

Author	Risk	Exploitation Type	Date
Soroush Dalili	High	Remote	2006-09-02

CVSS	EPSS	EPSSP
CVSS:4.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	0	0

CVSS vector description

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2006080165

Below is a copy:

Hi,

crackers_child (at) sibersavascilar (dot) com [email concealed] schrieb am Fri, 18 Aug 2006 09:46:12 +0000:

>Title : Joomla Rssxt <= 1.0 Remote File Include Vulnerability

First: There ist no pinger.php or RPC.php in V 1.0.
But they are in 2.0 Beta 1.
So maybe you reportet the wrong version.

>-------------------------------------------
>
>Bug 
>
>
>in pinger.php
>
>
>require("../../configuration.php");
>
>require("../../classes/mambo.php");
>
>require("../../includes/sef.php");
>
>require("$mosConfig_absolute_path/administrator/components/com_rssxt/
>class.rssxt.php");

$mosConfig_absolute_path is set in configuration.php.
If it is not manipulated in classes/mambo.php or
includes/sef.php there ist no way to change it.
Surely not in pinger.php.

>in RPC.php
>
>
>require("../../configuration.php");
>
> ...
Same as above.

>rssxt.php 
>
>
>include($mosConfig_absolute_path."/components/com_rssxt/includes/
>feedcreator.class.php");
>
>require_once( $mosConfig_absolute_path."/administrator/components/
>com_rssxt/class.rssxt.php");

rssxt.php checks for direct calls, if you call it
direct you got a 'die', but no code-execution oder
file inclusion.

No file inclusion at all.

Regards
  Carsten

-- 
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz

<http://www.ceilers-it.de>

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum