<<< Date Index >>>     <<< Thread Index >>>

Re: Mambo Component - Display MOSBot Manager Remote File Inclusion Vuln



On Sun, 2006-08-20 at 01:55 +0000, Outlaw@xxxxxxxxxxxxxxxxx wrote:
>               
> ###########################################################################################
>               #                       Aria-Security.net Advisory              
>                           #
>               #                       Discovered  by: O.U.T.L.A.W             
>                           #     
> 
>               #                       < www.Aria-security.net >               
>                           #
>               #               Gr33t to: A.U.R.A & Hessam-X & Cl0wn & DrtRp    
>                           #
>               #                                                               
>                           #
>               
> ###########################################################################################
> 
> 
> #Software: Mambo Components ContXTD
> #Attack method: Remote File Inclusion
> #Source:
> 
> ** ensure this file is being included by a parent file */
> defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not 
> allowed.' );
> 
> include_once( $mosConfig_absolute_path .'/includes/vcard.class.php' );

The "defined( '_VALID_MOS' ) or die" you quoted is there to prevent
this. You can't define that constant from POST or GET.