lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4A698637.6060803@isecauditors.com>
Date: Fri, 24 Jul 2009 12:00:23 +0200
From: ISecAuditors Security Advisories <advisories@...cauditors.com>
To: bugs@...uritytracker.com, news@...uriteam.com,
	full-disclosure@...ts.grok.org.uk, vuln@...unia.com,
	packet@...ketstormsecurity.org, bugtraq@...urityfocus.com
Subject: [ISecAuditors Security Advisories] Joomla! < 1.5.12 Multiple Full
 Path Disclosure vulnerabilities

=============================================
INTERNET SECURITY AUDITORS ALERT 2009-009
- Original release date: July 21st, 2009
- Last revised:  July 23rd, 2009
- Discovered by: Juan Galiana Lara
- Severity: 5/10 (CVSS Base Score)
=============================================

I. VULNERABILITY
-------------------------
Joomla! < 1.5.12 Multiple Full Path Disclosure vulnerabilities

II. BACKGROUND
-------------------------
Joomla! is an award-winning content management system (CMS), which
enables you to build Web sites and powerful online applications. Many
aspects, including its ease-of-use and extensibility, have made
Joomla! the most popular Web site software available. Best of all,
Joomla! is an open source solution that is freely available to everyone.

III. DESCRIPTION
-------------------------
This vulnerability could allow a malicious user to view the internal
path information of the host due to some files were missing the check
for JEXEC.

IV. PROOF OF CONCEPT
-------------------------
The attacker can get the full path of the instalation of Joomla!
browsing to any of this urls:

http://example.com/joomla-1.5.12/libraries/joomla/utilities/compat/php50x.php
http://example.com/joomla-1.5.12/libraries/joomla/client/ldap.php
http://example.com/joomla-1.5.12/libraries/joomla/html/html/content.php

The information obtained contais the full path to the files:

<b>Parse error</b>:  syntax error, unexpected T_CLONE, expecting
T_STRING in
<b>/var/www/joomla-1.5.12/libraries/joomla/utilities/compat/php50x.php</b>
on line <b>100</b><br />
<b>Fatal error</b>:  Class 'JObject' not found in
<b>/var/www/joomla-1.5.12/libraries/joomla/client/ldap.php</b> on line
<b>21</b><br />
<b>Fatal error</b>:  Class 'JLoader' not found in
<b>/var/www/joomla-1.5.12/libraries/joomla/html/html/content.php</b>
on line <b>15</b><br />

V. BUSINESS IMPACT
-------------------------
Full path disclosure vulnerabilities enables an attacker to know the
path to the web root. This information can be used in order to launch
further attacks.

VI. SYSTEMS AFFECTED
-------------------------
Joomla! versions prior and including 1.5.12 are vulnerable.

VII. SOLUTION
-------------------------
Upgrade to version 1.5.13

VIII. REFERENCES
-------------------------
http://www.joomla.org
http://www.isecauditors.com

IX. CREDITS
-------------------------
This vulnerability has been discovered
by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).

X. REVISION HISTORY
-------------------------
July  21, 2009: Initial release.
July  23, 2009: Last revision.

XI. DISCLOSURE TIMELINE
-------------------------
July  21, 2009: Discovered by Internet Security Auditors.
July  21, 2009: Vendor contacted.
July  22, 2009: Joomla! publish update. Great job.
July  24, 2009: Advisory published.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ