Who to notify of a new exploit in use????

UH-Tony · **Joined:** Fri Sep 29, 2006 9:07 pm **Posts:** 7

Hello,
I am a hosting admin and suspect I have just discovered a new exploit for a component of a customers site due to data from access logs.
I want to report this as I cannot find any reports of this component being vulnerable so far.

How can I report this?

I have tried to find a way to message a moderator here but cannot find one so please suggest how I can report this without posting it publicly as I know that would just get it more "Out There" to the ones who would abuse it.

Beat · **Posted:** Fri Sep 29, 2006 9:29 pm

PMed you my email, and will forward it, as you can't pm yet...

seems you need to do 5 posts to be able to PM.

Don't forget to get in touch with the component author as well.

UH-Tony · **Joined:** Fri Sep 29, 2006 9:07 pm **Posts:** 7

Thank you I have received your PM.

No offense at all intended but I was hoping to hand this issue off directly to a moderator so that I will feel confident that it is in safe hands.

Beat · **Posted:** Fri Sep 29, 2006 9:43 pm

No offense at all.

, on the contrary understanding your prudence

As you can see from the small flag I'm working in Joomla Q&T group led by RobS, moderator. You can't know or trust me upfront that i'm working particularly on security and compatibility aspects.

You got only 3 more posts to go and then you will be able to PM to RobS directly

But actually as important if not more, you need to contact the author of the 3PD extension (to see his contacts go to Install menu and list the components installed, or look at source, or look it up at http://extensions.joomla.org ).

UH-Tony · **Joined:** Fri Sep 29, 2006 9:07 pm **Posts:** 7

Thanks for your understanding, help and advise.

As a host I am very interested in making sure to contribute in any way I can towards security improvements for projects like Joomla as it is quite popular with our user base.

Beat · **Posted:** Fri Sep 29, 2006 10:01 pm

You are welcome

Excellent initiative

only 2 more posts to go to PM-to-Robs-nirvana

UH-Tony · **Joined:** Fri Sep 29, 2006 9:07 pm **Posts:** 7

Well lets make it 1 down...

Would seem reasonable for the site to allow PM's to mods at least even for brand new users.
I searched all over Joomla.org trying to find some contact method to no avail.

brad · **Posted:** Fri Sep 29, 2006 10:30 pm

For core Joomla exploits, please see: http://forum.joomla.org/index.php/topic,54006.0.html

For 3PD components, you should be able to locate the developer on the http://extensions.joomla.org site

brad · **Posted:** Fri Sep 29, 2006 10:32 pm

That being said, most of the Core Team 'show' their email address in their profile on these forums as well.

UH-Tony · **Joined:** Fri Sep 29, 2006 9:07 pm **Posts:** 7

Thanks for the added input.
I have searched and not found the correct component but with this post I can PM so would you mind me PM'ing you brad?

brian · **Posted:** Fri Sep 29, 2006 10:43 pm

this forum is pretty big now and smf search isn't up to it. I always google to search the forum by appending site:forum.org to my search. works pretty well

UH-Tony · **Joined:** Fri Sep 29, 2006 9:07 pm **Posts:** 7

Not a bad tip there.

I searched the forum as well as http://extensions.joomla.org and Googled for "com_XXX vuln*" and other things and found no mention of the particular component.

RobS · **Posted:** Sat Sep 30, 2006 1:01 am

If you haven't sent the information to Beat yet, you can send it to me via PM or email. My email address is in my signature and my profile.

UH-Tony · **Joined:** Fri Sep 29, 2006 9:07 pm **Posts:** 7

Hello Rob,
Thank you very much but I did already send it to Brad and made the mistake of not checking the box to save it to my sent folder.
If still needed though just let me know and I will re-type and send it to you.

Joomla! Discussion Forums

Who to notify of a new exploit in use????

Quick reply

Who is online