[ABANDONED] Mambo comspray <= Remote Inclusion Vulnerability

For all Non-Joomla! security issues. ie 3pd Components etc.

Moderator: General Support Moderators

Forum rules
Locked
User avatar
gustavo
Joomla! Explorer
Joomla! Explorer
Posts: 427
Joined: Fri Aug 19, 2005 12:51 pm
Location: Argentina
Contact:

[ABANDONED] Mambo comspray <= Remote Inclusion Vulnerability

Post by gustavo » Wed Jul 12, 2006 3:13 pm

Author: h4ntu
version: mospray_18RC1

idem..

Have a nice day
Gustavo
Last edited by RobS on Sun Jul 23, 2006 8:07 pm, edited 1 time in total.
Comunidad Joomla: Maintenance, support, translation and distribution for the Joomla!. Help site online. Member of the Spanish [es_ES] Joomla Translation Team. http://comunidadjoomla.org

rcameron
I've been banned!
Posts: 1
Joined: Sun Jul 16, 2006 7:38 pm
Location: Las Vegas, NV
Contact:

Re: comspray mambo <= remote inclusion

Post by rcameron » Mon Jul 17, 2006 12:18 am

We have had a number of sites get hit since 7-12-06. We upgraded all sites to 1.0.10 on that date and we had another round on 7-16-06. So just upgrading to 1.0.10 doesnt fix everything. You have to go back and check your sites and look for a file named shell.php in the root of your site. If you are running multiple sites, check ALL of them. If it is on one site on a server, they have full access to the entire server and it doesnt matter what version of Joomla you are using at that point. Once you have found and removed the shell.php file, make sure all sites on the server are upgraded to 1.0.10. If you are using a shared server, you can still be vulnerable if someone else has the file on their portion of the server.

We are working on finding all the details and will let you know more as we find them.

Hope this helps.

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1366
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: comspray mambo <= remote inclusion

Post by RobS » Wed Jul 19, 2006 6:51 am

I couldn't find any contact information or website for this component either.  Do any of you guys have contact information for this components developers?

Thanks
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
cgraham149
Joomla! Intern
Joomla! Intern
Posts: 70
Joined: Thu Mar 30, 2006 3:48 am
Location: Northern California
Contact:

Re: Mambo comspray <= Remote Inclusion Vulnerability

Post by cgraham149 » Wed Jul 19, 2006 7:34 am

The file is here:

http://mamboxchange.com/projects/mospray/

The developer is here:

http://www.caneblu.com

I didn't see the component listed on his site, my guess is that this is abandoned.
FlickrTab Pro for Community Builder
Multiple Random Image Module for Joomla!

caneblu
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Fri Sep 16, 2005 12:09 pm
Location: Italy
Contact:

Re: Mambo comspray <= Remote Inclusion Vulnerability

Post by caneblu » Wed Jul 19, 2006 3:55 pm

Hi i'm Walter, creator of Mospray.
Actually Mospray (mambo + flyspray) is not longer supported because i'm (re)writing a Jospray, but is far to complete.
So, can i have more details about this Remote Inclusion, i'll try to fix-it

Regards
Walter Tosolini
Caneblu.com

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1366
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: Mambo comspray <= Remote Inclusion Vulnerability

Post by RobS » Wed Jul 19, 2006 10:05 pm

Firstly, check to make sure that your components files check that they are not being accessed directly.  They should have a line like:

Code: Select all

defined( '_VALID_MOS' ) or die( 'Restricted access' );
This is what has caused many of the recent vulnerabilities.  Additionally, you should not use the $GLOBALS array as this often facilitates turning bugs into major vulnerabilities.  That would be a good start, then I suggest you have a look at the Developers Forum found here: http://forum.joomla.org/index.php/board,126.0.html  There is some good information there on how to write more secure code.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

caneblu
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Fri Sep 16, 2005 12:09 pm
Location: Italy
Contact:

Re: Mambo comspray <= Remote Inclusion Vulnerability

Post by caneblu » Fri Jul 21, 2006 4:44 pm

thx,
so this component is not for Joomla, i think the installer is not working into J, db tables_prefix are not like #__ but older mos_ (so the component dont work if you dont make change into the code)
I strongly recommed do not install this component in Joomla.
I'm working (but i havent much time now) to new component with code complety rewrite and not adapted like this one.
Caneblu.com

df23
Joomla! Intern
Joomla! Intern
Posts: 59
Joined: Thu Sep 15, 2005 5:52 pm

Re: [ABANDONED] Mambo comspray <= Remote Inclusion Vulnerability

Post by df23 » Sat Oct 21, 2006 12:23 pm

I have been using mospray in Joomla for quite a while now and really like it. I had to make the necessary changes to the code to port it from mambo but it works fine  :D

With regard to the security issues outlined about am i correct that the fix would be to
a) add "defined( '_VALID_MOS' ) or die( 'Restricted access' );" to all php scripts where it is missing
b) in newtask.php
    i) insert "global $mosConfig_absolute_path;" at the top of the script
    ii) replace
        require_once( $GLOBALS['mosConfig_absolute_path'] . '/includes/HTML_toolbar.php' );
      with
      require_once( $mosConfig_absolute_path . '/includes/HTML_toolbar.php' );

Walter :- can you give any indication of a release date for Jospray?

Anyone :- is there a Joomla alternative which give similar functionality? The others listed in extensions dont seem to give the same flexibility that i like in mospray

Thanks
Dave

caneblu
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Fri Sep 16, 2005 12:09 pm
Location: Italy
Contact:

Re: [ABANDONED] Mambo comspray <= Remote Inclusion Vulnerability

Post by caneblu » Mon Oct 23, 2006 9:46 am

df23 wrote:
Walter :- can you give any indication of a release date for Jospray?
No idea when ready...
i'm starting at begin of year to adapt flyspray into joomla, but the final work was not good at all... so i recently re-start from zero, only table of database are similar to flyspray, my intention is make a php script fully "joomled".
Caneblu.com

krishan
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Thu Jan 04, 2007 1:18 pm

Re: [ABANDONED] Mambo comspray <= Remote Inclusion Vulnerability

Post by krishan » Thu Jan 04, 2007 1:20 pm

df23 wrote: Anyone :- is there a Joomla alternative which give similar functionality? The others listed in extensions dont seem to give the same
Did you try Flyspray ME ?

Krishan

df23
Joomla! Intern
Joomla! Intern
Posts: 59
Joined: Thu Sep 15, 2005 5:52 pm

Re: [ABANDONED] Mambo comspray <= Remote Inclusion Vulnerability

Post by df23 » Thu Jan 04, 2007 11:16 pm

krishan wrote:
Did you try Flyspray ME ?

Krishan
No i havent - it is for M@mbo and i am using Joomla

krishan
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Thu Jan 04, 2007 1:18 pm

Re: [ABANDONED] Mambo comspray <= Remote Inclusion Vulnerability

Post by krishan » Thu Jan 04, 2007 11:45 pm

Well, the component just has the old name but works very well in Joomlal (my own page works with Joomla 1.0.11 and Flyspray ME 1.0.2 - without any problem).

karryberry
I've been banned!
Posts: 21
Joined: Wed Dec 19, 2007 10:36 pm

Re: [ABANDONED] Mambo comspray <= Remote Inclusion Vulnerability

Post by karryberry » Thu Dec 20, 2007 8:25 am

well spotted, i took this out of my site a while back anyways.
smile


Locked

Return to “3rd Party/Non Joomla! Security Issues”