[ABANDONED] Mambo comspray <= Remote Inclusion Vulnerability
Moderator: General Support Moderators
Forum rules
- gustavo
- Joomla! Explorer
- Posts: 427
- Joined: Fri Aug 19, 2005 12:51 pm
- Location: Argentina
- Contact:
[ABANDONED] Mambo comspray <= Remote Inclusion Vulnerability
Author: h4ntu
version: mospray_18RC1
idem..
Have a nice day
Gustavo
version: mospray_18RC1
idem..
Have a nice day
Gustavo
Last edited by RobS on Sun Jul 23, 2006 8:07 pm, edited 1 time in total.
Comunidad Joomla: Maintenance, support, translation and distribution for the Joomla!. Help site online. Member of the Spanish [es_ES] Joomla Translation Team. http://comunidadjoomla.org
-
- I've been banned!
- Posts: 1
- Joined: Sun Jul 16, 2006 7:38 pm
- Location: Las Vegas, NV
- Contact:
Re: comspray mambo <= remote inclusion
We have had a number of sites get hit since 7-12-06. We upgraded all sites to 1.0.10 on that date and we had another round on 7-16-06. So just upgrading to 1.0.10 doesnt fix everything. You have to go back and check your sites and look for a file named shell.php in the root of your site. If you are running multiple sites, check ALL of them. If it is on one site on a server, they have full access to the entire server and it doesnt matter what version of Joomla you are using at that point. Once you have found and removed the shell.php file, make sure all sites on the server are upgraded to 1.0.10. If you are using a shared server, you can still be vulnerable if someone else has the file on their portion of the server.
We are working on finding all the details and will let you know more as we find them.
Hope this helps.
We are working on finding all the details and will let you know more as we find them.
Hope this helps.
- RobS
- Joomla! Ace
- Posts: 1366
- Joined: Mon Dec 05, 2005 10:17 am
- Location: New Orleans, LA, USA
- Contact:
Re: comspray mambo <= remote inclusion
I couldn't find any contact information or website for this component either. Do any of you guys have contact information for this components developers?
Thanks
Thanks
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
- cgraham149
- Joomla! Intern
- Posts: 70
- Joined: Thu Mar 30, 2006 3:48 am
- Location: Northern California
- Contact:
Re: Mambo comspray <= Remote Inclusion Vulnerability
The file is here:
http://mamboxchange.com/projects/mospray/
The developer is here:
http://www.caneblu.com
I didn't see the component listed on his site, my guess is that this is abandoned.
http://mamboxchange.com/projects/mospray/
The developer is here:
http://www.caneblu.com
I didn't see the component listed on his site, my guess is that this is abandoned.
-
- Joomla! Apprentice
- Posts: 5
- Joined: Fri Sep 16, 2005 12:09 pm
- Location: Italy
- Contact:
Re: Mambo comspray <= Remote Inclusion Vulnerability
Hi i'm Walter, creator of Mospray.
Actually Mospray (mambo + flyspray) is not longer supported because i'm (re)writing a Jospray, but is far to complete.
So, can i have more details about this Remote Inclusion, i'll try to fix-it
Regards
Walter Tosolini
Actually Mospray (mambo + flyspray) is not longer supported because i'm (re)writing a Jospray, but is far to complete.
So, can i have more details about this Remote Inclusion, i'll try to fix-it
Regards
Walter Tosolini
Caneblu.com
- RobS
- Joomla! Ace
- Posts: 1366
- Joined: Mon Dec 05, 2005 10:17 am
- Location: New Orleans, LA, USA
- Contact:
Re: Mambo comspray <= Remote Inclusion Vulnerability
Firstly, check to make sure that your components files check that they are not being accessed directly. They should have a line like:
This is what has caused many of the recent vulnerabilities. Additionally, you should not use the $GLOBALS array as this often facilitates turning bugs into major vulnerabilities. That would be a good start, then I suggest you have a look at the Developers Forum found here: http://forum.joomla.org/index.php/board,126.0.html There is some good information there on how to write more secure code.
Code: Select all
defined( '_VALID_MOS' ) or die( 'Restricted access' );
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
-
- Joomla! Apprentice
- Posts: 5
- Joined: Fri Sep 16, 2005 12:09 pm
- Location: Italy
- Contact:
Re: Mambo comspray <= Remote Inclusion Vulnerability
thx,
so this component is not for Joomla, i think the installer is not working into J, db tables_prefix are not like #__ but older mos_ (so the component dont work if you dont make change into the code)
I strongly recommed do not install this component in Joomla.
I'm working (but i havent much time now) to new component with code complety rewrite and not adapted like this one.
so this component is not for Joomla, i think the installer is not working into J, db tables_prefix are not like #__ but older mos_ (so the component dont work if you dont make change into the code)
I strongly recommed do not install this component in Joomla.
I'm working (but i havent much time now) to new component with code complety rewrite and not adapted like this one.
Caneblu.com
-
- Joomla! Intern
- Posts: 59
- Joined: Thu Sep 15, 2005 5:52 pm
Re: [ABANDONED] Mambo comspray <= Remote Inclusion Vulnerability
I have been using mospray in Joomla for quite a while now and really like it. I had to make the necessary changes to the code to port it from mambo but it works fine
With regard to the security issues outlined about am i correct that the fix would be to
a) add "defined( '_VALID_MOS' ) or die( 'Restricted access' );" to all php scripts where it is missing
b) in newtask.php
i) insert "global $mosConfig_absolute_path;" at the top of the script
ii) replace
require_once( $GLOBALS['mosConfig_absolute_path'] . '/includes/HTML_toolbar.php' );
with
require_once( $mosConfig_absolute_path . '/includes/HTML_toolbar.php' );
Walter :- can you give any indication of a release date for Jospray?
Anyone :- is there a Joomla alternative which give similar functionality? The others listed in extensions dont seem to give the same flexibility that i like in mospray
Thanks
Dave
With regard to the security issues outlined about am i correct that the fix would be to
a) add "defined( '_VALID_MOS' ) or die( 'Restricted access' );" to all php scripts where it is missing
b) in newtask.php
i) insert "global $mosConfig_absolute_path;" at the top of the script
ii) replace
require_once( $GLOBALS['mosConfig_absolute_path'] . '/includes/HTML_toolbar.php' );
with
require_once( $mosConfig_absolute_path . '/includes/HTML_toolbar.php' );
Walter :- can you give any indication of a release date for Jospray?
Anyone :- is there a Joomla alternative which give similar functionality? The others listed in extensions dont seem to give the same flexibility that i like in mospray
Thanks
Dave
-
- Joomla! Apprentice
- Posts: 5
- Joined: Fri Sep 16, 2005 12:09 pm
- Location: Italy
- Contact:
Re: [ABANDONED] Mambo comspray <= Remote Inclusion Vulnerability
No idea when ready...df23 wrote:
Walter :- can you give any indication of a release date for Jospray?
i'm starting at begin of year to adapt flyspray into joomla, but the final work was not good at all... so i recently re-start from zero, only table of database are similar to flyspray, my intention is make a php script fully "joomled".
Caneblu.com
-
- Joomla! Fledgling
- Posts: 4
- Joined: Thu Jan 04, 2007 1:18 pm
Re: [ABANDONED] Mambo comspray <= Remote Inclusion Vulnerability
Did you try Flyspray ME ?df23 wrote: Anyone :- is there a Joomla alternative which give similar functionality? The others listed in extensions dont seem to give the same
Krishan
-
- Joomla! Intern
- Posts: 59
- Joined: Thu Sep 15, 2005 5:52 pm
Re: [ABANDONED] Mambo comspray <= Remote Inclusion Vulnerability
No i havent - it is for M@mbo and i am using Joomlakrishan wrote:
Did you try Flyspray ME ?
Krishan
-
- Joomla! Fledgling
- Posts: 4
- Joined: Thu Jan 04, 2007 1:18 pm
Re: [ABANDONED] Mambo comspray <= Remote Inclusion Vulnerability
Well, the component just has the old name but works very well in Joomlal (my own page works with Joomla 1.0.11 and Flyspray ME 1.0.2 - without any problem).
-
- I've been banned!
- Posts: 21
- Joined: Wed Dec 19, 2007 10:36 pm
Re: [ABANDONED] Mambo comspray <= Remote Inclusion Vulnerability
well spotted, i took this out of my site a while back anyways.
smile