<<< Date Index >>>     <<< Thread Index >>>

[KAPDA::#41] - Mambo/Joomla rss component vulnerability



KAPDA New advisory

Mambo website : http://www.mamboserver.com
Bug: Path Disclosure & Remote Denial Of Service
Exploitation: Remote with browser
Exploit: available

Description:
--------------------
Mambo is a feature-rich dynamic portal engine/content
management tool capable of building sites from several
pages to several thousand. Mambo uses PHP/MySQL and
features a very comprehensive admin manager.

Vulnerability:
--------------------
The Script does not properly validate user-supplied
input in rss.php.A remote user can supply a specially
crafted URL to cause the system to display an error
message that discloses the installation Path or force
the script to create Tons of superfluous xml files
which in some cases results in remote DOS attacks
against target.
Lets see Code Snippets:

/components/com_rss/rss.php 

[#73-74]
// get feed type from url
$info[ 'feed' ] = mosGetParam( $_GET, 'feed', 'RSS2.0'
);

[#91-93]
// set filename for rss feeds
$info[ 'file' ] = strtolower( str_replace( '.', '',
$info[ 'feed' ] ) );
$info[ 'file' ] = $mosConfig_absolute_path .'/cache/'.
$info[ 'file' ] .'.xml';

[#244-245]
// save feed file
$rss->saveFeed( $info[ 'feed' ], $info[ 'file' ],
$showFeed );


/includes/feedcreator.class.php       // FeedCreator
class v1.7.2 , originally (c) Kai Blankenhorn
[#681-697]

        function saveFeed($filename="",
$displayContents=true) {
                if ($filename=="") {
                        $filename = $this->_generateFilename();
                }
                $feedFile = fopen($filename, "w+");
                if ($feedFile) {
                        fputs($feedFile,$this->createFeed());
                        fclose($feedFile);
                        if ($displayContents) {
                                $this->_redirect($filename);
                        }
                } else {
                        echo "<br /><b>Error creating feed file, please
check write permissions.</b><br />";
                }
        }
        
}

Demonstration URL:
--------------------
http://example.com/index2.php?option=com_rss&feed=test\/>
Warning: fopen(path\to\mambo\test\\/>.xml)
[function.fopen]: failed to open stream: No such file
or directory in
path\to\mambo\includes\feedcreator.class.php on line
685

DDOS:
--------------------
Its possible to perform distributed denial of service
attacks against Installed mambo on IIS servers
Specially when php runs as ISAPI module.  
requesting
http://example.com/index2.php?option=com_rss&feed=arbitraryfilenames
will cause remote script to save arbitrary files in
cache folder And large amount of request will cause
IIS to returen "HTTP 403.9 - Access Forbidden: Too
many users are connected
Internet Information Services" to legitimate users.
Or from php5 as isapi module :
"PHP has encountered an Access Violation at 77F6103A"

Solution:
--------------------
There is no vendor supplied patch for this issue at
this time.
 
Original Advisories:
--------------------
http://www.kapda.ir/advisory-313.html    [with
exploit]
IN Farsi:
http://irannetjob.com/content/view/209/28/

Credit :
--------------------
Discovered & released by trueend5 (trueend5 kapda ir)
Security Science Researchers Institute Of Iran
[http://www.KAPDA.ir]

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com