Bugtraq mailing list archives
Re: Mambo Component - Display MOSBot Manager Remote File Inclusion Vuln
From: Jan de Groot <jan () jgc homeip net>
Date: Mon, 21 Aug 2006 21:23:56 +0200
On Sun, 2006-08-20 at 01:55 +0000, Outlaw () aria-security net wrote:
########################################################################################### # Aria-Security.net Advisory # # Discovered by: O.U.T.L.A.W # # < www.Aria-security.net > # # Gr33t to: A.U.R.A & Hessam-X & Cl0wn & DrtRp # # # ########################################################################################### #Software: Mambo Components ContXTD #Attack method: Remote File Inclusion #Source: ** ensure this file is being included by a parent file */ defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' ); include_once( $mosConfig_absolute_path .'/includes/vcard.class.php' );
The "defined( '_VALID_MOS' ) or die" you quoted is there to prevent this. You can't define that constant from POST or GET.
Current thread:
- Mambo Component - Display MOSBot Manager Remote File Inclusion Vuln Outlaw (Aug 21)
- Re: Mambo Component - Display MOSBot Manager Remote File Inclusion Vuln Jan de Groot (Aug 22)
- <Possible follow-ups>
- Mambo Component - Display MOSBot Manager Remote File Inclusion Vuln Outlaw (Aug 21)