Advertisement






Mambo Component - Display MOSBot Manager Remote File Inclusion Vuln

CVE Category Price Severity
N/A CWE-98 N/A High
Author Risk Exploitation Type Date
N/A High Remote 2006-09-02
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 0.5 0.75

CVSS vector description

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2006080160

Below is a copy:

On Sun, 2006-08-20 at 01:55 +0000, Outlaw (at) aria-security (dot) net [email concealed] wrote:
> ########################################################################
###################
> #Aria-Security.net Advisory                                        #
> #Discovered  by: O.U.T.L.A.W                                       #
> 
> #< www.Aria-security.net >                                        #
> #Gr33t to: A.U.R.A & Hessam-X & Cl0wn & DrtRp                        #
> #                                        #
> ########################################################################
###################
> 
> 
> #Software: Mambo Components ContXTD
> #Attack method: Remote File Inclusion
> #Source:
> 
> ** ensure this file is being included by a parent file */
> defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );
> 
> include_once( $mosConfig_absolute_path .'/includes/vcard.class.php' );

The "defined( '_VALID_MOS' ) or die" you quoted is there to prevent
this. You can't define that constant from POST or GET.

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.