[VIM] Mambo Module uhp 0.3 (uhp_config.php) Remote File Inclusion Exploit

Steven M. Christey coley at linus.mitre.org
Fri Mar 23 21:09:39 UTC 2007

On Fri, 23 Mar 2007, George A. Theall wrote:

> After last summer's blitz, any remote file include issue published
> nowadays and involving mosConfig_absolute_path raises suspicions in my
> mind.

Really?  Hmmm.  Since mosConfig_absolute_path is clearly associated with
arbitrary third-party modules (like phpbb_home_path is for PHPBB), I'm not
always going to be suspicious - since there's been enough evidence that
many module developers don't actually add the required anti-direct-request


1) third-party modules for Mambo/Joomla apparently require that
   mosConfig_absolute_path is set

2) Proper integration of the module into the environment
   apparently suggests protection against direct request using

3) Predictably, lots of module developers don't do step 2.  We've got
   over 30 CVE's for different modules.

4) Therefore mosConfig_absolute_path is a valid RFI vector for those
   modules (with the usual disclaimers), and is also all over the place
   because of the raw number of modules for mambo/joomla.

5) Similar rationale holds for PHPBB modules.

6) crackers_child and others aside, this seems like a legitimate issue.

The source code for uhp_config.php says:

   define ("_uhp_TITLE","User Home Pages");
   global $mosConfig_absolute_path;


which sure looks like legit RFI to me.

And, as you said, sure looks the same as last year's.  But this kind of
rediscovery is not surprising.

- Steve

More information about the VIM mailing list