Re: Mambo Component - Display MOSBot Manager Remote File Inclusion Vuln

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Mambo Component - Display MOSBot Manager Remote File Inclusion Vuln

Subject: Re: Mambo Component - Display MOSBot Manager Remote File Inclusion Vuln
Date: Mon, 21 Aug 2006 21:23:56 +0200
From: Jan de Groot <suppressed>

On Sun, 2006-08-20 at 01:55 +0000, suppressed wrote:
> 		###########################################################################################
> 		#			Aria-Security.net Advisory                                        #
> 		#			Discovered  by: O.U.T.L.A.W                                       #	
> 
> 		#			< www.Aria-security.net >                                      	  #
> 		#		Gr33t to: A.U.R.A & Hessam-X & Cl0wn & DrtRp                      	  #
> 		#		                                  		    			  #
> 		###########################################################################################
> 
> 
> #Software: Mambo Components ContXTD
> #Attack method: Remote File Inclusion
> #Source:
> 
> ** ensure this file is being included by a parent file */
> defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );
> 
> include_once( $mosConfig_absolute_path .'/includes/vcard.class.php' );

The "defined( '_VALID_MOS' ) or die" you quoted is there to prevent
this. You can't define that constant from POST or GET.

References:
- Mambo Component - Display MOSBot Manager Remote File Inclusion Vuln
  - From: Outlaw

Prev by Date: unauthorized VNC access in AK-Systems Windows Terminals
Next by Date: Re: mtg_myhomepage Component For Mambo R.F.I
Previous by thread: Mambo Component - Display MOSBot Manager Remote File Inclusion Vuln
Next by thread: Mambo Component - Display MOSBot Manager Remote File Inclusion Vuln
Index(es):
- Date
- Thread

Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.