Two Pro Edition users were notified by their service companies that a file in the J! Reactions commenting system was being used to send spam email (apparently French content). The problem has been traced specifically to the langset.php file (which is located in the administrator/components/com_jreactions folder. Build 1.9.0 will fix this problem, but the immediate action is to simply replace the langset.php file. Here it is:
Code:
<?php defined( '_VALID_MOS' ) or die( 'Direct access is prohibited.' );
global $mosConfig_lang;
if (file_exists("$comPath/custom/".$mosConfig_lang.".php")) {
include("$comPath/custom/".$mosConfig_lang.".php");
} else {
require("$comPath/custom/english.php");
} ?>
global $mosConfig_lang;
if (file_exists("$comPath/custom/".$mosConfig_lang.".php")) {
include("$comPath/custom/".$mosConfig_lang.".php");
} else {
require("$comPath/custom/english.php");
} ?>
The security issue is caused by the fact that the old file does not check for VALID_MOS. I suggest that all J! Reactions' users (a) un-install the J! Reactions component in the normal manner, (b) double-check that ALL J! Reactions folders on the server are removed after the un-install, and (c) install build 1.9.0 when it is released in a few days. Any existing comment data will be safe in the data tables in the interim.
I apologize for any service interruptions resulting from this exploit.
