[OpenLug] Vuln
-=Quequero=-
quequero@bitchx.it
Gio 2 Mar 2006 23:46:08 CET
Segnalo, che magari passa inosservato:
[Product Description]
Joomla! is a Content Management System (CMS) created by the same
award-winning
team that brought the Mambo CMS to its current state of stardom.
[Summary]
An attacker can invoke some undesirable situations for server administrator.
[Details]
1. Real server path disclose and arbitrary filename creation.
Vulnerable script: includes/feedcreator.class.php
[code]
function saveFeed($filename="", $displayContents=true) {
if ($filename=="") {
$filename = $this->_generateFilename();
}
$feedFile = fopen($filename, "w+");
if ($feedFile) {
fputs($feedFile,$this->createFeed());
fclose($feedFile);
if ($displayContents) {
$this->_redirect($filename);
}
[/code]
Exploit:
Vulnerable script: index.php?option=com_rss&feed=filename_here&no_html=1
An attacker can write simple code to soil the server by lots of cashed
files.
To disclose real path - just put slash symbol in the filename.
2. Denial of service.
Vulnerable script: includes/phpInputFilter/class.inputfilter.php
Anti-xss code will not cope with several tags. This can cause denial of
servise.
Exploit:
index.php?option=com_poll&task=results&id=14&mosmsg=DOS@HERE<<>AAA<><>
[DISCLOSURE TIMELINE]
09/02/06 - vendor notification
26/02/06 - new release (1.0.8) with bugfix
--
-=Quequero=-
UIC Founder www.quequero.org
Linux Registered User #207978
Maggiori informazioni sulla lista
OpenLug