Page 1 of 2

Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Posted: Sun Jul 23, 2006 10:11 pm
by RobS
[MOD: All information on vulnerable 3rd party extensions has been moved to the Joomla! Wiki]
http://docs.joomla.org/Vulnerable_Extensions_List

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Posted: Sat Jul 29, 2006 7:06 pm
by RobS
Updated.  Added A6MamboHelpDesk to the list of vulnerable components and also updated the information for LoudMouth as it has reportedly been fixed now.

Last updated July 29, 2006 @ 12:06 PM PDT.

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Posted: Tue Aug 01, 2006 6:40 am
by RobS
Updated again.  Added 7 components to the naughty list.

PC Cook Book
User Home Pages 1 and 2
Mambo Gallery Manager
JD-WordPress
Colophon
LMO
Bayesian Naive Filter

That brings this list to 34 components.
Last updated on July 31, 2006 @ 11:34 PM PDT.

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Posted: Thu Aug 10, 2006 8:46 am
by RobS
Updated Again...

Added
JD-Wiki
Community Builder (com_profiler)  ((Thank you JM!))
Updated status for LMO
Updated link for SMF Bridge (for SMF 1.1RC2 only)

Last updated on August 10th, 2006 at 1:45 AM PDT (GMT-7)

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Posted: Thu Aug 10, 2006 9:15 am
by RobS
I forgot some...

Added:
Classifieds
Events
Hot Properties

Last updated on August 10th, 2006 at 2:15 AM PDT (GMT-7)

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Posted: Thu Aug 10, 2006 7:07 pm
by RobS
Added Blogg-X Mambot. - Removed Blogg-X.  It does not appear to be vulnerable upon further investigation.
Updated information about Security Images.

That brings the number of insecure 3rd party extensions up to 40 extensions.

Last updated on August 12th, 2006 at 11:16 AM PDT (GMT-7)

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Posted: Sat Aug 12, 2006 6:18 pm
by RobS
Removed Blogg-X.  Upon further investigation Blogg-X does not appear to be vulnerable.

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Posted: Tue Aug 15, 2006 5:59 am
by infograf768
Temporarily added the abandonned Webring component until updated by Robs.

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Posted: Tue Aug 15, 2006 6:58 pm
by user deleted
Update has come in about Mosets Hot Property, there 0.98 release should fix the security issues. Still need to verify before we change the current listing.

Regards Robin

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Posted: Wed Aug 16, 2006 7:16 am
by user deleted
I have received a reply from the developer of Mosets Tree and Hot Property. Mosets Tree 1.5.9 and Hot Property 0.98 are now solving the security issues. The list will be changed accordingly.

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Posted: Fri Aug 18, 2006 4:22 am
by infograf768
See here for hacks concerning Joomlaboard 1.1.2 and CB 1.0.1 to make them compatible with register globals off as set in globals.php

http://forum.joomla.org/index.php/topic,86525.0.html

(please integrate in your list, Robs)

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Posted: Fri Aug 18, 2006 6:33 am
by user deleted
Thanks JM, added as a note/reference to the listing.

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Posted: Fri Aug 18, 2006 11:23 am
by user deleted

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Posted: Fri Aug 18, 2006 11:34 am
by user deleted
Added Mambelfish 1.x due to report ; http://secunia.com/advisories/21544/

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Posted: Wed Aug 23, 2006 7:11 am
by infograf768
JCE vulnerability. Patch available.
http://www.cellardoor.za.net/index.php? ... mla.org%29

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Posted: Sat Aug 26, 2006 8:32 am
by infograf768
I am informed a JCE 1.1 release is soon to get out. All potential holes will be plugged.

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Posted: Sun Aug 27, 2006 8:38 am
by infograf768
SEF404x has been found vulnerable.
No crack known yet.
Developer contacted.
Extension taken off from JED until fixed.

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Posted: Fri Sep 01, 2006 10:10 am
by RobS
Updated again...

Added BigApe Backup
Added SEF404x
Updated Colophon

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Posted: Tue Sep 05, 2006 4:54 am
by infograf768
Remository v3.25 vulnerable.
Update to 3.26

See http://forum.joomla.org/index.php/topic ... #msg461272

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Posted: Thu Sep 28, 2006 8:04 am
by Tonie
Added Facile Forms 1.46g and older, upgrade available.

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Posted: Thu Oct 05, 2006 7:32 am
by rliskey
The Official List of Vulnerable 3rd Party/Non Joomla! Extensions is the new home for information on vulnerable 3rd party extensions. It contains a table style overview of all known vulnerable extensions with links to detailed information on each one.
http://forum.joomla.org/index.php/board,346.0.html

This thread will remain for announcements and discussions related to vulnerable 3rd party extension security issues.

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Posted: Sat Oct 21, 2006 1:45 am
by rliskey
The Big Ape entry was updated with a link to a patch that was released by the developer.

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Posted: Sat Oct 21, 2006 1:49 am
by rliskey
Joomlaboard entry has been updated to advise upgrade to version 1.1.3
http://forum.joomla.org/index.php/topic ... #msg501968

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Posted: Sun Oct 22, 2006 4:45 am
by rliskey
BSQ Site Stats entry updated due to SQL injection vulnerability.
http://forum.joomla.org/index.php/topic,100146

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Posted: Mon Nov 13, 2006 7:49 pm
by Tonie
Security issue with JCE 1.0.4, please read here

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Posted: Sat Jan 06, 2007 6:09 am
by rliskey
Added a link to the Adobe Reader XSS vulnerability report. This is not a Joomla! or third party issue, but because so many sites use PDF files, I think it's worth noting.

http://forum.joomla.org/index.php/topic ... #msg506694

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Posted: Tue Mar 13, 2007 6:11 pm
by rliskey
VirtueMart vulnerability reported by the vendor. For all versions below 1.0.10.
Patch available; upgrade immediately.
http://forum.joomla.org/index.php/topic,150053

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Posted: Sun Mar 18, 2007 9:56 pm
by rliskey
Seems there's a vulnerable, abandoned project floating around called "Link Directory" that some people are finding and installing.

Name: Link Directory
Short Name: com_linkdirectory
Versions: All (abandoned project)
Reference: http://forum.joomla.org/index.php?topic=149131.new#new

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Posted: Sun May 13, 2007 8:56 pm
by rliskey
The Official Vulnerable Extensions List is now hosted on the Help site, in the FAQs section.

The Security and Performance FAQs are an easy-to-navigate list of essential information gleaned from quality Security Forum posts.

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Posted: Thu Jun 21, 2007 7:10 pm
by rliskey
The Vulnerable Extensions List is once again improved. All data is now available in one view.
http://help.joomla.org/component/option ... temid,268/