[VIM] Mambo Module uhp 0.3 (uhp_config.php) Remote File Inclusion Exploit

[Steven M. Christey]

On Fri, 23 Mar 2007, George A. Theall wrote:

> After last summer's blitz, any remote file include issue published
> nowadays and involving mosConfig_absolute_path raises suspicions in my
> mind.

Really?  Hmmm.  Since mosConfig_absolute_path is clearly associated with
arbitrary third-party modules (like phpbb_home_path is for PHPBB), I'm not
always going to be suspicious - since there's been enough evidence that
many module developers don't actually add the required anti-direct-request
check.

i.e.:

1) third-party modules for Mambo/Joomla apparently require that
   mosConfig_absolute_path is set

2) Proper integration of the module into the environment
   apparently suggests protection against direct request using
   defined('_VALID_MOS')

3) Predictably, lots of module developers don't do step 2.  We've got
   over 30 CVE's for different modules.

4) Therefore mosConfig_absolute_path is a valid RFI vector for those
   modules (with the usual disclaimers), and is also all over the place
   because of the raw number of modules for mambo/joomla.

5) Similar rationale holds for PHPBB modules.

6) crackers_child and others aside, this seems like a legitimate issue.


The source code for uhp_config.php says:

   define ("_uhp_TITLE","User Home Pages");
   ...
   global $mosConfig_absolute_path;

   require($mosConfig_absolute_path."/administrator/components/com_uhp/uhp_config.inc");

which sure looks like legit RFI to me.

And, as you said, sure looks the same as last year's.  But this kind of
rediscovery is not surprising.

- Steve