Joomla! "mosConfig_absolute_path" File Inclusion

SECUNIA ADVISORY ID:
SA29106

VERIFY ADVISORY:
http://secunia.com/advisories/29106/

CRITICAL:
Moderately critical

IMPACT:
System access

WHERE:
>From remote

SOFTWARE:
Joomla! 1.x
http://secunia.com/product/5788/

DESCRIPTION:
Hendrik-Jan Verheij has discovered a vulnerability in Joomla!, which
can be exploited by malicious people to compromise a vulnerable
system.

Input passed to the "mosConfig_absolute_path" parameter in index.php
is not properly verified before being used to include files. This can
be exploited to include arbitrary files from external resources.

Successful exploitation requires that RG_EMULATION is either switched
on or undefined.

NOTE: Both situations cause security warnings to be displayed in
Joomla!'s administration section.

The vulnerability is confirmed in Joomla! 1.0.x in versions 1.0.14
and 1.0.13. Prior versions may also be affected.

SOLUTION:
Joomla! 1.0.x:
Update to version 1.0.15.

PROVIDED AND/OR DISCOVERED BY:
Hendrik-Jan Verheij

ORIGINAL ADVISORY:
Joomla!:
http://www.joomla.org/content/view/4609/1/

Hendrik-Jan Verheij:
http://seclists.org/bugtraq/2008/Feb/0207.html