Joomla vulnerability -- new version available (July 1, 2009)

Started by Jason, July 01, 2009, 03:10:15 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

Jason

July 01, 2009, 03:10:15 PM
A new alert arrived today.

Quote
[20090606] - Core - Missing JEXEC Check
[20090605] - Core - Frontend XSS - PHP_SELF not properly filtered
[20090604] - Core - Frontend XSS - HTTP_REFERER not properly filtered
[20090606] - Core - Missing JEXEC Check

Posted: 30 Jun 2009 09:46 PM PDT

Project: Joomla!
SubProject: Admin client
Severity: Moderate
Versions: 1.5.11 and all previous 1.5 releases
Exploit type: XSS
Reported Date: 2009-June-22
Fixed Date: 2009-June-30
Description
Some files were missing the check for JEXEC.  These scripts will then expose internal path information of the host.

Affected Installs
All 1.5.x installs prior to and including 1.5.11 are affected.

Solution
Upgrade to latest Joomla! version (1.5.12 or newer).

Contact
The JSST at the Joomla! Security Center.



[20090605] - Core - Frontend XSS - PHP_SELF not properly filtered

Posted: 30 Jun 2009 09:46 PM PDT

Project: Joomla!
SubProject: Site client
Severity: Moderate
Versions: 1.5.11 and all previous 1.5 releases
Exploit type: XSS
Reported Date: 2009-June-03
Fixed Date: 2009-June-30
Description
An attacker can inject JavaScript code in a URL that will be executed in the context of targeted user browser.

Affected Installs
All 1.5.x installs prior to and including 1.5.11 are affected.

Solution
Upgrade to latest Joomla! version (1.5.12 or newer).

Reported By Paul Boekholt (Byte Internet)

Contact
The JSST at the Joomla! Security Center.



[20090604] - Core - Frontend XSS - HTTP_REFERER not properly filtered

Posted: 30 Jun 2009 09:45 PM PDT

Project: Joomla!
SubProject: Site client
Severity: Moderate
Versions: 1.5.11 and all previous 1.5 releases
Exploit type: XSS
Reported Date: 2009-June-30
Fixed Date: 2009-June-30
Description
An attacker can inject JavaScript or DHTML code that will be executed in the context of targeted user browser, allowing the attacker to steal cookies. HTTP_REFERER variable is not properly parsed.

Affected Installs
All 1.5.x installs prior to and including 1.5.11 are affected.

Solution
Upgrade to latest Joomla! version (1.5.12 or newer).

Reported by Juan Galiana Lara (Internet Security Auditors)

Contact
The JSST at the Joomla! Security Center.

Mark

#1
July 02, 2009, 12:44:29 AM
Uhg, again? I'll update in the morning.

Jason

#2
July 02, 2009, 05:20:32 PM
Quote from: Mark on July 02, 2009, 12:44:29 AM
Uhg, again? I'll update in the morning.

:D
Print
Go Up Pages1
User actions