Mambo mosConfig_absolute_path
file inclusion vulnerability
Date Discovered:
8/7/2006
Severity:
High
Operating Systems:
Microsoft_Windows
Linux
HP-UX
IBM: AIX
IBM:OS/2
Sun Microsystems, Inc.: Solaris
Wind RiverSystems, Inc.: BSD
Apple Computer, Inc.: Mac OS X
Data General: DG/UX
Santa Cruz Operation, Inc.: SCO Unix
SGI: IRIX
Applications Affected:
Mambo Gallery Manager
version 0.95r2 & prior
Synopsis
A vulnerability has been
identified in Mambo Gallery Manager (MGM) component for Mambo, which
could be exploited by attackers to include arbitrary PHP files.
Recommended Actions
1. Review existing code for
file operations to ensure that user input is properly validated.
2. When writing new code, try to limit the use of dynamic inputs from
users to vulnerable mosConfig_absolute_path parameter.
3. Update to fixed version, when available, from the vendors website
below: http://mamboxchange.com/projects/mgm
Threat Analysis
Mambo Gallery Manager (MGM) is an open source
component for MOS that allows administrator to create image galleries
and publish them in content pages.
This flaw exists due to input validation errors in the "help.mgm.php"
and "about.mgm.php" scripts that fail to validate the
“mosConfig_absolute_path" parameter. A remote attacker could
send a specially-crafted URL request to the "help.mgm.php" or the
"about.mgm.php" script using the "mosConfig_absolute_path" parameter to
include malicious files and execute arbitrary commands with the
privileges of the web server.
