Re: CVE request: Joomla unspecified information disclosure vulnerability

[YGN Ethical Hacker Group <lists () yehg net>]

Path Disclosure should better be regarded as more closely related to
server-side issue.
It may be too redundant or unnecessary to create one path disclosure
issue per CVE.

Another Path Disclosure issue in Joomla! 1.6.1

http://bl0g.yehg.net/2011/04/joomla-161-and-lower-information.html


Almost all php CMS applications have this issue going on where  some
of them are listed at:

http://code.google.com/p/inspathx/source/browse/#svn%2Ftrunk%2Fpaths_vuln


---------------------------------
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd



On Fri, Jun 24, 2011 at 3:46 AM, Josh Bressers <bressers () redhat com> wrote:
> ----- Original Message -----
> > Couldn't find a CVE-identifier for this issue. Joomla does have too
> > many vulnerabilities. Joomla prior to 1.5.23 contains a flaw that may
> > lead to an unauthorized information disclosure. Should this one get a
> > 2010 or 2011 identifier?
> >
> > Reported: 2010-12-08
> > Joomla advisory: 2011-04-01
> > Release with a fix (version 1.5.23): 2011-04-04
> >
> > References:
> > http://developer.joomla.org/security/news/9-security/10-core-security/340-20110401-core-information-disclosure.html
> > http://www.joomla.org/announcements/release-news/5367-joomla-1523-released.html
> > http://osvdb.org/show/osvdb/71587
> > http://secunia.com/advisories/44028/
> >
> > I hope this request isn't duplicate. I included oCERT to this email as
> > Joomla is part of that group. Please notify me and mailing-list if
> > this issue already has a CVE-identifier.
>
> I'm giving this CVE-2011-2488.
>
> While the flaw was reported in 2010 they claim, I consider 2011 when
> it went public.
>
> Thanks.
>
> --
>    JB