oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request: Joomla unspecified information disclosure vulnerability

From: YGN Ethical Hacker Group <lists () yehg net>
Date: Fri, 1 Jul 2011 14:52:49 +0800
In 1.5.22, the following files trigger Path Disclosure issue:

1. /templates/system/error.php

because in 1.5.23, the following validation check was added:

if (!isset($this->error)) {
        $this->error = JError::raiseWarning( 403, JText::_('ALERTNOTAUTH') );
        $this->debug = false;
}

There must be some cases where $this->error might be undefined,
triggering path disclosure.


2. /administrator/components/com_media/views/media/view.html.php

There is another path disclosure in $base variable in com_media of
administrator backend.


/////////////////////////////////
                if(DS == '\\')
                {
                        $base = str_replace(DS,"\\\\",COM_MEDIA_BASE);
                } else {
                        $base = COM_MEDIA_BASE;
                }

                $js = "
                        var basepath = '".$base."';
                        var viewstyle = '".$style."';
                " ;
////////////////////////////////

COM_MEDIA_BASE is set to a part of JPATH_ROOT which is dirname(),
causing to reveal full path.



On Mon, Jun 27, 2011 at 10:58 PM, Henri Salo <henri () nerv fi> wrote:

On Mon, Jun 27, 2011 at 03:53:27PM +0800, YGN Ethical Hacker Group wrote:

Path Disclosure should better be regarded as more closely related to
server-side issue.
It may be too redundant or unnecessary to create one path disclosure
issue per CVE.

Another Path Disclosure issue in Joomla! 1.6.1

http://bl0g.yehg.net/2011/04/joomla-161-and-lower-information.html


Almost all php CMS applications have this issue going on where  some
of them are listed at:

http://code.google.com/p/inspathx/source/browse/#svn%2Ftrunk%2Fpaths_vuln


I think this deserves own CVE-identifier as Joomla did announce security vulnerability. As far as I know the 
vulnerability was described as "Information Disclosure" not patch disclosure. Path disclosures should be fixed from 
software also, but usually it is a problem in web-server configuration. Do you have more information about issue 
CVE-2011-2488? Still no reply from Joomla security team regarding issue CVE-2011-2488. I asked more details nearly a 
week ago.

Btw. I would use domain example.org in advisories if I were you. You might not always want to keep that attacker.in 
domain.

Best regards,
Henri Salo
Previous By Date Next
Previous By Thread Next

Current thread: