Joomla Rssxt <= 1.0 Remote File Include Vulnerability

!!!!!!!!!WWW.SiBERSAVASCiLAR.CM!!!!!!!!!


Title : Joomla Rssxt <= 1.0 Remote File Include Vulnerability


#Author: Crackers_Child


#cont@ct: crackers_child (AT) sibersavascilar (DOT) com



Google Dorks : allinurl:"/com_rssxt/"



Download :


Bug

in pinger.php

require("//configuration.php");
require("//classes/mambo.php");
require("//includes/sef.php");
require("$");
error_reporting(0);
require("");



in RPC.php

require("//configuration.php");
require("$");
require("$");
require("$");
require("includes/blogger.php");
require("includes/metaweblog.php");
error_reporting(0);
require("$");
--

rssxt.php

include($mosConfig_absolute_path."/");
require_once( $mosConfig_absolute_path."/");



Exploit:









greets:

All My Friends And SiberSavascilar.Com Members !




[ WWW.SiBERSAVASCiLAR.CM ]

Hi,

crackers_child (AT) sibersavascilar (DOT) com schrieb am Fri, 18 Aug 2006 09:46:12 +0000:

>Title : Joomla Rssxt <= 1.0 Remote File Include Vulnerability

First: There ist no pinger.php or RPC.php in V 1.0.
But they are in 2.0 Beta 1.
So maybe you reportet the wrong version.

>
>
>Bug
>
>
>in pinger.php
>
>
>require("//configuration.php");
>
>require("//classes/mambo.php");
>
>require("//includes/sef.php");
>
>require("$
>class.rssxt.php");

$mosConfig_absolute_path is set in configuration.php.
If it is not manipulated in classes/mambo.php or
includes/sef.php there ist no way to change it.
Surely not in pinger.php.

>in RPC.php
>
>
>require("//configuration.php");
>

Same as above.

>rssxt.php
>
>
>include($mosConfig_absolute_path."/components/com_rssxt/includes/
>feedcreator.class.php");
>
>require_once( $mosConfig_absolute_path."/administrator/components/
>com_rssxt/class.rssxt.php");

rssxt.php checks for direct calls, if you call it
direct you got a 'die', but no code-execution oder
file inclusion.

No file inclusion at all.

Regards
Carsten

--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz

<http://www.ceilers-it.de>