Mambo Phphop产品多个远程文件包含漏洞

Mambo Phphop是一款基于Mambo的应用模块。 Mambo Phphop不正确过滤用户提交的URI数据，远程攻击者可以利用漏洞以WEB进程权限执行任意命令。 问题是多个脚本对用户提交的'mosConfigabsolutepath'参数缺少过滤，提交恶意的远程服务器作为包含对象，可导致以WEB进程权限执行任意PHP代码。 Mambo Mambo-phphop 1.2 http://mamboxchange.com/projects/mambo-phpshop/...

phphop.txt

Aria-Security.net Advisory Discovered by: O.U.T.L.A.W Gr33t to: A.U.R.A & Hessam-X & Cl0wn & DrtRp Software: mambo-phphop Product Scroller Module Attack method: Remote File Inclusion Source: / Load the phpshop main parse code / requireonce...

mambo-phphop Product Scroller Module R.F.I

Aria-Security.net Advisory Discovered by: O.U.T.L.A.W www.Aria-security.net Gr33t to: A.U.R.A & Hessam-X & Cl0wn & DrtRp Software: mambo-phphop Product Scroller Module Attack method: Remote File Inclusion Source: / Load the phpshop main parse code / requireonce...