Joomla! Forum - community, help and support

Remote file inclusion vulnerability.
JD-WordPress for Joomla is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker can exploit these issues to include arbitrary remote files containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and to gain access to the underlying system.

Version 2.0-1.0 RC2 is vulnerable to these issues; prior versions may also be affected.
The developer has been notified.

Thanks Elpie and as i told i have probs to reproduce this, maybe RobS can check this, and if why i have probs to reproduce this, thanks in Advance.

Has there been any headway made with uncovering this vulnerability? This has me greatly concerned!

The exploits that have been published both appear to rely on register_globals being on. If you have register_globals off and are not running globals emulation 1 (globals.php in Joomla) you should be fine.
While I personally wouldnt use htaccess to block attempts, RobS's htaccess will also block any attempts to exploit JD-Wordpress.

Joomla!'s RG emulation is probably safe as it does a fair job of sanitizing input but I haven't thouroughly tested it myself, just browed through it a bit.

Well have tested now during the weekend local with RG on and allow_furl on together with Joomla! 1.0.10 also on a webhosting of a friend with Rg on and allow_furl on and joomla! 1.0.10 and could not reproduce this but to avoid any constellation which may allow this i have made a patch where i replaced the call

require_once( $mosConfig_absolute_path .'/components/com_jd-wp/wp-config.php' );

into

require(dirname(__FILE__) . '/wp-config.php');

to be sure.

If you normally have Rg off you should be save, as i was even with On not able to hack it with Joomla! 1.0.10

Also added to the list with a link to your patch.

Marco

I must say, you have done a gr8 job with this component.

Vish wrote: Marco

I must say, you have done a gr8 job with this component.

Thanks Vish 

will added the next day the use of the permalink with joomla so jd-wp will have than also long URLs the way the original WP has it. Is a customjob but i can release the code than to the comunity so everybody can use it

RobS wrote: Also added to the list with a link to your patch.

Hi RobS,

I ran across your notice that JD-WordPress was on the Security Risk list, but I don't see the link to the patch you mention here. Please point me to it.

Thanks,
Steve

cmyksteve wrote:

RobS wrote: Also added to the list with a link to your patch.

Hi RobS,

I ran across your notice that JD-WordPress was on the Security Risk list, but I don't see the link to the patch you mention here. Please point me to it.

Thanks,
Steve

See the attachment in Reply #5 in this Thread

I've just patched JD-WP and the commenting system failed to work afterwards. But soon i realised there was a typo error on line 64:

elseif ( !is_email($comment_author_email))

should have been:

elseif ( !is_wp_email($comment_author_email))

Nothing major and apart from that everything else went smoothly. Thanks for the security patch

P.S. i have attached the patch here to inlcude the line above and nothing else.

Opps sorry my fault 

Thanks duvien for correcting this

Hi, Where download the JD-Wordpress??

what plugins are you using with the wordpress ap?

JD-WordPress is no longer supported.
But a fork of this Joomla component called mojoBlog can be found on Joomlify.com

mojoBlog is still in beta, running under Joomla 1.0.13

Hello it seams that the joomlify.com site is down.
where else can I have this mojoblog component?
thanks
Javier

I am also among the number of people who can't access the joomlify site. Anyone know what went down? It was fine a few days ago.

NateM wrote:... Anyone know what went down? It was fine a few days ago.

I'm sure Kevin will have Joomlify.com back up soon. The datacenter was having some issues but it looked like those were being addressed last week. I don't know what this current blackout was caused by, but waiting on files directly from Joomlify.com would be the best place to get current versions of mojoBlog (beta 0.16).

ok, hope it will be soon, thank you!
anyway do you know any alternative download page?
thanks
Javier

Joomlify.com is back up.
Here's a link to the current version of mojoBlog from the download area-
http://www.joomlify.com/component/optio ... Itemid,53/