Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apps :: b06-1700.htm

Mambo/Joomla rss component vulnerability



- Mambo/Joomla rss component vulnerability
- Mambo/Joomla rss component vulnerability



KAPDA New advisory

Mambo website : http://www.mamboserver.com 
Bug: Path Disclosure & Remote Denial Of Service
Exploitation: Remote with browser
Exploit: available

Description:
--------------------
Mambo is a feature-rich dynamic portal engine/content
management tool capable of building sites from several
pages to several thousand. Mambo uses PHP/MySQL and
features a very comprehensive admin manager.

Vulnerability:
--------------------
The Script does not properly validate user-supplied
input in rss.php.A remote user can supply a specially
crafted URL to cause the system to display an error
message that discloses the installation Path or force
the script to create Tons of superfluous xml files
which in some cases results in remote DOS attacks
against target.
Lets see Code Snippets:

/components/com_rss/rss.php 

[#73-74]
// get feed type from url
$info[ 'feed' ] = mosGetParam( $_GET, 'feed', 'RSS2.0'
);

[#91-93]
// set filename for rss feeds
$info[ 'file' ] = strtolower( str_replace( '.', '',
$info[ 'feed' ] ) );
$info[ 'file' ] = $mosConfig_absolute_path .'/cache/'.
$info[ 'file' ] .'.xml';

[#244-245]
// save feed file
$rss->saveFeed( $info[ 'feed' ], $info[ 'file' ],
$showFeed );


/includes/feedcreator.class.php       // FeedCreator
class v1.7.2 , originally (c) Kai Blankenhorn
[#681-697]

	function saveFeed($filename="",
$displayContents=true) {
		if ($filename=="") {
			$filename = $this->_generateFilename();
		}
		$feedFile = fopen($filename, "w+");
		if ($feedFile) {
			fputs($feedFile,$this->createFeed());
			fclose($feedFile);
			if ($displayContents) {
				$this->_redirect($filename);
			}
		} else {
			echo "
Error creating feed file, please check write permissions.
"; } } =09 } Demonstration URL: -------------------- http://example.com/index2.php?option=com_rss&feed=test\/> Warning: fopen(path\to\mambo\test\\/>.xml) [function.fopen]: failed to open stream: No such file or directory in path\to\mambo\includes\feedcreator.class.php on line 685 DDOS: -------------------- Its possible to perform distributed denial of service attacks against Installed mambo on IIS servers Specially when php runs as ISAPI module. requesting http://example.com/index2.php?option=com_rss&feed=arbitraryfilenames will cause remote script to save arbitrary files in cache folder And large amount of request will cause IIS to returen "HTTP 403.9 - Access Forbidden: Too many users are connected Internet Information Services" to legitimate users. Or from php5 as isapi module : "PHP has encountered an Access Violation at 77F6103A" Solution: -------------------- There is no vendor supplied patch for this issue at this time. Original Advisories: -------------------- http://www.kapda.ir/advisory-313.html [with exploit] IN Farsi: http://irannetjob.com/content/view/209/28/ Credit : -------------------- Discovered & released by trueend5 (trueend5 kapda ir) Security Science Researchers Institute Of Iran [http://www.KAPDA.ir] __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH