[VIM] Mambo Module uhp 0.3 (uhp_config.php) Remote File Inclusion Exploit
Steven M. Christey
coley at linus.mitre.org
Fri Mar 23 21:09:39 UTC 2007
On Fri, 23 Mar 2007, George A. Theall wrote:
> After last summer's blitz, any remote file include issue published
> nowadays and involving mosConfig_absolute_path raises suspicions in my
Really? Hmmm. Since mosConfig_absolute_path is clearly associated with
arbitrary third-party modules (like phpbb_home_path is for PHPBB), I'm not
always going to be suspicious - since there's been enough evidence that
many module developers don't actually add the required anti-direct-request
1) third-party modules for Mambo/Joomla apparently require that
mosConfig_absolute_path is set
2) Proper integration of the module into the environment
apparently suggests protection against direct request using
3) Predictably, lots of module developers don't do step 2. We've got
over 30 CVE's for different modules.
4) Therefore mosConfig_absolute_path is a valid RFI vector for those
modules (with the usual disclaimers), and is also all over the place
because of the raw number of modules for mambo/joomla.
5) Similar rationale holds for PHPBB modules.
6) crackers_child and others aside, this seems like a legitimate issue.
The source code for uhp_config.php says:
define ("_uhp_TITLE","User Home Pages");
which sure looks like legit RFI to me.
And, as you said, sure looks the same as last year's. But this kind of
rediscovery is not surprising.
More information about the VIM