| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 24 Jul 2009 12:00:23 +0200 From: ISecAuditors Security Advisories <advisories@...cauditors.com> To: bugs@...uritytracker.com, news@...uriteam.com, full-disclosure@...ts.grok.org.uk, vuln@...unia.com, packet@...ketstormsecurity.org, bugtraq@...urityfocus.com Subject: [ISecAuditors Security Advisories] Joomla! < 1.5.12 Multiple Full Path Disclosure vulnerabilities ============================================= INTERNET SECURITY AUDITORS ALERT 2009-009 - Original release date: July 21st, 2009 - Last revised: July 23rd, 2009 - Discovered by: Juan Galiana Lara - Severity: 5/10 (CVSS Base Score) ============================================= I. VULNERABILITY ------------------------- Joomla! < 1.5.12 Multiple Full Path Disclosure vulnerabilities II. BACKGROUND ------------------------- Joomla! is an award-winning content management system (CMS), which enables you to build Web sites and powerful online applications. Many aspects, including its ease-of-use and extensibility, have made Joomla! the most popular Web site software available. Best of all, Joomla! is an open source solution that is freely available to everyone. III. DESCRIPTION ------------------------- This vulnerability could allow a malicious user to view the internal path information of the host due to some files were missing the check for JEXEC. IV. PROOF OF CONCEPT ------------------------- The attacker can get the full path of the instalation of Joomla! browsing to any of this urls: http://example.com/joomla-1.5.12/libraries/joomla/utilities/compat/php50x.php http://example.com/joomla-1.5.12/libraries/joomla/client/ldap.php http://example.com/joomla-1.5.12/libraries/joomla/html/html/content.php The information obtained contais the full path to the files: <b>Parse error</b>: syntax error, unexpected T_CLONE, expecting T_STRING in <b>/var/www/joomla-1.5.12/libraries/joomla/utilities/compat/php50x.php</b> on line <b>100</b><br /> <b>Fatal error</b>: Class 'JObject' not found in <b>/var/www/joomla-1.5.12/libraries/joomla/client/ldap.php</b> on line <b>21</b><br /> <b>Fatal error</b>: Class 'JLoader' not found in <b>/var/www/joomla-1.5.12/libraries/joomla/html/html/content.php</b> on line <b>15</b><br /> V. BUSINESS IMPACT ------------------------- Full path disclosure vulnerabilities enables an attacker to know the path to the web root. This information can be used in order to launch further attacks. VI. SYSTEMS AFFECTED ------------------------- Joomla! versions prior and including 1.5.12 are vulnerable. VII. SOLUTION ------------------------- Upgrade to version 1.5.13 VIII. REFERENCES ------------------------- http://www.joomla.org http://www.isecauditors.com IX. CREDITS ------------------------- This vulnerability has been discovered by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com). X. REVISION HISTORY ------------------------- July 21, 2009: Initial release. July 23, 2009: Last revision. XI. DISCLOSURE TIMELINE ------------------------- July 21, 2009: Discovered by Internet Security Auditors. July 21, 2009: Vendor contacted. July 22, 2009: Joomla! publish update. Great job. July 24, 2009: Advisory published. XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.
Powered by blists - more mailing lists