Related information

Web applications security vulnerabilities (PHP, ASP, CGI, Perl, etc)

[Full-disclosure] ExoPHPDesk is helpdesk written in PHP/SQL.

[TKADV2005-11-004] Multiple Cross Site Scripting vulnerabilities in phpMyFAQ

phpComasy "id" SQL Injection Vulnerability

[SA17614] Unclassified NewsBoard "DateFrom" SQL Injection Vulnerability

From:	bad boy <slythers_(at)_gmail.com>
Date:	16.11.2005
Subject:	[Full-disclosure] mambo remote code sexecution

a vulnerability exist in globals.php when register_globals is off and allow remote code inclusion

this a GLOBALS overwrite

in components/com_content/content.html.php
there is the line:
require_once( $GLOBALS['mosConfig_absolute_path'] . '/includes/HTML_toolbar.php' );

ok

da globals.php:
if (!ini_get('register_globals')) {
while(list($key,$value)=each($_FILES)) $GLOBALS[$key]=$value;
while(list($key,$value)=each($_ENV)) $GLOBALS[$key]=$value;
while(list($key,$value)=each($_GET)) $GLOBALS[$key]=$value;
while(list($key,$value)=each($_POST)) $GLOBALS[$key]=$value;
while(list($key,$value)=each($_COOKIE)) $GLOBALS[$key]=$value;
while(list($key,$value)=each($_SERVER)) $GLOBALS[$key]=$value;
while(list($key,$value)=@each($_SESSION)) $GLOBALS[$key]=$value;
foreach($_FILES as $key => $value){
$GLOBALS[$key]=$_FILES[$key]['tmp_name'];
foreach($value as $ext => $value2){
$key2 = $key . '_' . $ext;
$GLOBALS[$key2] = $value2;
}
}
}

da fake protect in mambo.php:

if (in_array( 'globals', array_keys( array_change_key_case( $_REQUEST, CASE_LOWER ) ) ) ) {
die( 'Fatal error. Global variable hack attempted.' );
}
if (in_array( '_post', array_keys( array_change_key_case( $_REQUEST, CASE_LOWER ) ) ) ) {
die( 'Fatal error. Post variable hack attempted.' );
}

poc: http://enviede.wistee-heb.fr/index.php?cat=poc

slythers@gmail.com