[VIM] bad report for EstateAgent?
security curmudgeon
jericho at attrition.org
Wed Aug 23 20:04:54 EDT 2006
: BUGTRAQ:20060820 Mambo Component - EstateAgent Remote File Inclusion
: URL:http://www.securityfocus.com/archive/1/archive/1/443911/100/0/threaded
:
: Outlaw from Aria Security includes the following source code extract:
:
: ># Don't allow direct linking
: >
: >defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not
: >allowed.' );
: >
: >require_once( $mainframe->getPath( 'front_html' ) );
: >
: >require($mosConfig_absolute_path."/administrator/components/com_estateag
: >ent/configuration.php");
:
:
: Um - isn't this the recommended fix that Mambo told all component
: developers to use? I don't have that URL on me at the moment.
:
: Anyway, I can't get any source code to check - I couldn't find it on
: the site after a cursory look - but I'm not sure this report is
: correct, based on the above.
Without looking, there is a high probability. Check out the recent rash
of Mambo/Joomla related vulns:
http://osvdb.org/blog/?p=132
Specifically, several from this person were found to be inaccurate, so
seeing this turn up wrong wouldn't be a shock.
More information about the VIM
mailing list