| VID |
210100 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Joomla! program is vulnerable to a remote file include vulnerability via the 'mosConfig_absolute_path' parameter. Joomla! is an open-source contents management system written in PHP. Joomla! versions 1.0.13 through to 1.0.14 could allow a remote attacker to include an arbitrary remote file containing malicious PHP code and execute it, caused by improper validation of user-supplied input passed to the 'mosConfig_absolute_path' parameter of the 'index.php' script. If the 'RG_EMULATION' is not defined in the configuration file, a remote attacker could send a specially-crafted URL request to execute arbitrary PHP code and operating system commands on the affected host.
* References:
http://www.joomla.org/content/view/4609/1/
http://archives.neohapsis.com/archives/bugtraq/2008-02/0217.html
* Platforms Affected:
Joomla! versions 1.0.13 through to 1.0.14
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of Joomla! (1.0.15 or later), available from the Joomla! Web site at http://www.joomla.org/
-- OR --
Edit the application's 'configuration.php' file to disable 'RG_EMULATION' as described in the vendor security advisory at http://www.joomla.org/content/view/4609/1/ |
| Related URL |
CVE-2008-5671 (CVE) |
| Related URL |
27795 (SecurityFocus) |
| Related URL |
(ISS) |
|
