lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20070818082316.17243.qmail@securityfocus.com> Date: 18 Aug 2007 08:23:16 -0000 From: software@...cnet.com To: bugtraq@...urityfocus.com Subject: Re: Joomla J! Reactions Component Remote File include Bug The entire langset.php file should be changed to: <?php defined( '_VALID_MOS' ) or die( 'Direct access is prohibited.' ); global $mosConfig_lang; if (file_exists("$comPath/custom/".$mosConfig_lang.".php")) { include("$comPath/custom/".$mosConfig_lang.".php"); } else { require("$comPath/custom/english.php"); } ?> The spam expolit occurs because the original file does not test VALID_MOS. This vulnerability exists in build 1.8.1 and earlier.