[VIM] CVE-2006-4264 (mtg_myhomepage) - dispute followup

Steven M. Christey coley at mitre.org
Thu Aug 24 16:01:26 EDT 2006

I "conditionally' concur with the dispute to CVE-2006-4264, originally
announced by Outlaw of Aria.  Source code inspection agrees with the
Bugtraq post by Carsten Eilers.  Specifically, the
$mosConfig_absolute_path is used in the install.lmtg_homepage.php
script, but it's part of a function definition, i.e.:

  function com_install() 
  global $database;
  global $mosConfig_dbprefix;
  global $mosConfig_absolute_path;

  if (file_exists($mosConfig_absolute_path.'/administrator/components/com_lmtg_myhomepage/language/'.$mosConfig_lang.'.php')) 
  	include_once ($mosConfig_absolute_path.'/administrator/components/com_lmtg_myhomepage/language/'.$mosConfig_lang.'.php');
  	include_once ($mosConfig_absolute_path.'/administrator/components/com_lmtg_myhomepage/language/english.php');

Based on a grep, com_install is not called *anywhere* in the PHP.

Why is my concurrence conditional?  Since com_install isn't directly
called anywhere, *how* is it getting called?  I looked for "$$" and
"${" constructs (not an exhaustive list of possibilities), since maybe
the function name is being stored in a variable or something, but no

So, maybe com_install() is part of the whole Mambo/Joomla component
architecture or something, and if so, it's probably being called
outside of the source code scope of com_lmtg_myhomepage - in which
case I can't be SURE that there's not an issue.

I definitely concur with Carsten's dispute of the second attack on
lmtg_myhomepage.php, since the first line of the script is:

  defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );

- Steve

More information about the VIM mailing list