Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Mambo Component - Display MOSBot Manager Remote File Inclusion Vuln

From: Jan de Groot <jan () jgc homeip net>
Date: Mon, 21 Aug 2006 21:23:56 +0200
On Sun, 2006-08-20 at 01:55 +0000, Outlaw () aria-security net wrote:

              ###########################################################################################
              #                       Aria-Security.net Advisory                                        #
              #                       Discovered  by: O.U.T.L.A.W                                       #     

              #                       < www.Aria-security.net >                                         #
              #               Gr33t to: A.U.R.A & Hessam-X & Cl0wn & DrtRp                              #
              #                                                                                         #
              ###########################################################################################


#Software: Mambo Components ContXTD
#Attack method: Remote File Inclusion
#Source:

** ensure this file is being included by a parent file */
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );

include_once( $mosConfig_absolute_path .'/includes/vcard.class.php' );


The "defined( '_VALID_MOS' ) or die" you quoted is there to prevent
this. You can't define that constant from POST or GET.
Previous By Date Next
Previous By Thread Next

Current thread: