com_jpack 1.0.4a2

For all Non-Joomla! security issues. ie 3pd Components etc.

Moderator: General Support Moderators

User avatar
gustavo
Joomla! Explorer
Joomla! Explorer
Posts: 427
Joined: Fri Aug 19, 2005 12:51 pm
Location: Argentina
Contact:

com_jpack 1.0.4a2

Postby gustavo » Wed Apr 25, 2007 5:42 am

Original release date:  4/19/2007
Last revised: 4/19/2007
Source: US-CERT/NIST

Overview
PHP remote file inclusion vulnerability in includes/CAltInstaller.php in the JoomlaPack (com_jpack) 1.0.4a2 RE component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter.


Impact
CVSS Severity: 7.0 (High)
Range: Remotely exploitable
Authentication: Not required to exploit
Impact Type: Provides unauthorized access, Allows partial confidentiality, integrity, and availability violation


References to Advisories, Solutions, and Tools

External Source:  MILW0RM (disclaimer)

Name: 3753

Hyperlink: http://www.milw0rm.com/exploits/3753


External Source:  FRSIRT (disclaimer)

Name: ADV-2007-1429

Type:  Advisory
Hyperlink: http://www.frsirt.com/english/advisories/2007/1429


Vulnerable software and versions
JoomlaPack, JoomlaPack, 1.0.4a2 RE


Technical Details
CVSS Base Score Vector: (AV:R/AC:L/Au:NR/C:P/I:P/A:P/B:N) (legend)

Vulnerability Type: Input Validation Error


CVE Standard Vulnerability Entry:
http://cve.mitre.org/cgi-bin/cvename.cg ... -2007-2144


Common Platform Enumeration:
http://nvd.nist.gov/cpe.cfm?cvename=CVE-2007-2144
Comunidad Joomla: Maintenance, support, translation and distribution for the Joomla!. Help site online. Member of the Spanish [es_ES] Joomla Translation Team. http://comunidadjoomla.org

User avatar
ot2sen
Joomla! Master
Joomla! Master
Posts: 10278
Joined: Thu Aug 18, 2005 9:58 am
Location: Hillerød - Denmark
Contact:

Re: com_jpack 1.0.4a2

Postby ot2sen » Thu Apr 26, 2007 8:18 am

Developer notified and they will produce a new security audited release within the next days.
Ole Bang Ottosen
Dansk kommerciel support og kurser www.ot2sen.dk
Dansk frivillig Joomla! support websted - joomla.dk
redCOMPONENT Community Manager redcomponent.com

User avatar
alexhokamp
Joomla! Guru
Joomla! Guru
Posts: 723
Joined: Sun Nov 20, 2005 7:04 pm
Location: Germany
Contact:

Re: com_jpack 1.0.4a2

Postby alexhokamp » Wed May 09, 2007 4:45 pm

@ot2sen

Any News on the Status of this Component?

Alex ...

User avatar
schipperijn
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 110
Joined: Thu Apr 06, 2006 3:42 pm
Location: Leeuwarden
Contact:

Re: com_jpack 1.0.4a2

Postby schipperijn » Sat May 12, 2007 9:56 pm

I have just find version 1.0.4a3
Do not know if this is already with an update for this security fix

His website is at http://sledge81.freehostia.com/ with a lot good info.

This version does have more functions and looks good   :-*
Last edited by schipperijn on Sat May 12, 2007 10:16 pm, edited 1 time in total.

User avatar
ot2sen
Joomla! Master
Joomla! Master
Posts: 10278
Joined: Thu Aug 18, 2005 9:58 am
Location: Hillerød - Denmark
Contact:

Re: com_jpack 1.0.4a2

Postby ot2sen » Tue Jun 05, 2007 8:06 am

alexhokamp wrote:@ot2sen

Any News on the Status of this Component?

Developer just confirmed that a new release 1.0.4-b1 is ready for download.
Extension republished at Joomla! Extensions Directory:
http://extensions.joomla.org/component/ ... Itemid,35/
Ole Bang Ottosen
Dansk kommerciel support og kurser www.ot2sen.dk
Dansk frivillig Joomla! support websted - joomla.dk
redCOMPONENT Community Manager redcomponent.com


Return to “3rd Party/Non Joomla! Security Issues”

Who is online

Users browsing this forum: No registered users and 3 guests