lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 2 Mar 2006 06:19:19 -0000
From: ghc@....ru
To: bugtraq@...urityfocus.com
Subject: JOOMLA CMS 1.0.7 DoS & path disclosing



RST/GHC -- JOOMLA CMS -- ADVISORY #37
Product: Joomla
Affected version: 1.0.7
Last version: 1.0.7
Vendor: Joomla!
URL: http://www.joomla.org/
online demo: http://demo.joomla.org/
VULNERABILITY CLASS: DoS, path disclosing

[Product Description]
Joomla! is a Content Management System (CMS) created by the same award-winning 
team that brought the Mambo CMS to its current state of stardom.

[Summary]
An attacker can invoke some undesirable situations for server administrator.

[Details]

1. Real server path disclose and arbitrary filename creation.
Vulnerable script: includes/feedcreator.class.php
[code]
	function saveFeed($filename="", $displayContents=true) {
		if ($filename=="") {
			$filename = $this->_generateFilename();
		}
		$feedFile = fopen($filename, "w+");
		if ($feedFile) {
			fputs($feedFile,$this->createFeed());
			fclose($feedFile);
			if ($displayContents) {
				$this->_redirect($filename);
			}
[/code]

Exploit: 
Vulnerable script: index.php?option=com_rss&feed=filename_here&no_html=1
An attacker can write simple code to soil the server by lots of cashed files.
To disclose real path - just put slash symbol in the filename. 

2. Denial of service.
Vulnerable script: includes/phpInputFilter/class.inputfilter.php
Anti-xss code will not cope with several tags. This can cause denial of servise.
Exploit: 
index.php?option=com_poll&task=results&id=14&mosmsg=DOS@...E<<>AAA<><>


[DISCLOSURE TIMELINE]

09/02/06 - vendor notification
26/02/06 - new release (1.0.8) with bugfix

bugs discovered by Foster

RST/GHC
http://rst.void.ru
http://www.ghc.ru

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ