| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 24 Jul 2009 12:00:23 +0200 From: ISecAuditors Security Advisories <advisories@...cauditors.com> To: bugs@...uritytracker.com, news@...uriteam.com, full-disclosure@...ts.grok.org.uk, vuln@...unia.com, packet@...ketstormsecurity.org, bugtraq@...urityfocus.com Subject: [ISecAuditors Security Advisories] Joomla! < 1.5.12 Multiple Full Path Disclosure vulnerabilities ============================================= INTERNET SECURITY AUDITORS ALERT 2009-009 - Original release date: July 21st, 2009 - Last revised: July 23rd, 2009 - Discovered by: Juan Galiana Lara - Severity: 5/10 (CVSS Base Score) ============================================= I. VULNERABILITY ------------------------- Joomla! < 1.5.12 Multiple Full Path Disclosure vulnerabilities II. BACKGROUND ------------------------- Joomla! is an award-winning content management system (CMS), which enables you to build Web sites and powerful online applications. Many aspects, including its ease-of-use and extensibility, have made Joomla! the most popular Web site software available. Best of all, Joomla! is an open source solution that is freely available to everyone. III. DESCRIPTION ------------------------- This vulnerability could allow a malicious user to view the internal path information of the host due to some files were missing the check for JEXEC. IV. PROOF OF CONCEPT ------------------------- The attacker can get the full path of the instalation of Joomla! browsing to any of this urls: http://example.com/joomla-1.5.12/libraries/joomla/utilities/compat/php50x.php http://example.com/joomla-1.5.12/libraries/joomla/client/ldap.php http://example.com/joomla-1.5.12/libraries/joomla/html/html/content.php The information obtained contais the full path to the files: <b>Parse error</b>: syntax error, unexpected T_CLONE, expecting T_STRING in <b>/var/www/joomla-1.5.12/libraries/joomla/utilities/compat/php50x.php</b> on line <b>100</b><br /> <b>Fatal error</b>: Class 'JObject' not found in <b>/var/www/joomla-1.5.12/libraries/joomla/client/ldap.php</b> on line <b>21</b><br /> <b>Fatal error</b>: Class 'JLoader' not found in <b>/var/www/joomla-1.5.12/libraries/joomla/html/html/content.php</b> on line <b>15</b><br /> V. BUSINESS IMPACT ------------------------- Full path disclosure vulnerabilities enables an attacker to know the path to the web root. This information can be used in order to launch further attacks. VI. SYSTEMS AFFECTED ------------------------- Joomla! versions prior and including 1.5.12 are vulnerable. VII. SOLUTION ------------------------- Upgrade to version 1.5.13 VIII. REFERENCES ------------------------- http://www.joomla.org http://www.isecauditors.com IX. CREDITS ------------------------- This vulnerability has been discovered by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com). X. REVISION HISTORY ------------------------- July 21, 2009: Initial release. July 23, 2009: Last revision. XI. DISCLOSURE TIMELINE ------------------------- July 21, 2009: Discovered by Internet Security Auditors. July 21, 2009: Vendor contacted. July 22, 2009: Joomla! publish update. Great job. July 24, 2009: Advisory published. XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists