oss-sec mailing list archives

Re: CVE request: Joomla unspecified information disclosure vulnerability

From: Henri Salo <henri () nerv fi>
Date: Mon, 27 Jun 2011 17:58:35 +0300

On Mon, Jun 27, 2011 at 03:53:27PM +0800, YGN Ethical Hacker Group wrote:

Path Disclosure should better be regarded as more closely related to
server-side issue.
It may be too redundant or unnecessary to create one path disclosure
issue per CVE.

Another Path Disclosure issue in Joomla! 1.6.1

http://bl0g.yehg.net/2011/04/joomla-161-and-lower-information.html


Almost all php CMS applications have this issue going on where  some
of them are listed at:

http://code.google.com/p/inspathx/source/browse/#svn%2Ftrunk%2Fpaths_vuln


I think this deserves own CVE-identifier as Joomla did announce security vulnerability. As far as I know the 
vulnerability was described as "Information Disclosure" not patch disclosure. Path disclosures should be fixed from 
software also, but usually it is a problem in web-server configuration. Do you have more information about issue 
CVE-2011-2488? Still no reply from Joomla security team regarding issue CVE-2011-2488. I asked more details nearly a 
week ago.

Btw. I would use domain example.org in advisories if I were you. You might not always want to keep that attacker.in 
domain.

Best regards,
Henri Salo

Current thread:

CVE request: Joomla unspecified information disclosure vulnerability Henri Salo (Jun 20)
- Re: CVE request: Joomla unspecified information disclosure vulnerability Josh Bressers (Jun 23)
  - Re: CVE request: Joomla unspecified information disclosure vulnerability YGN Ethical Hacker Group (Jun 27)
    - Re: CVE request: Joomla unspecified information disclosure vulnerability Henri Salo (Jun 27)
    - Re: CVE request: Joomla unspecified information disclosure vulnerability YGN Ethical Hacker Group (Jun 30)