| Joomla! http://forum.joomla.org/ |
|
| [PATCH AVAIL.] JD-WordPress Vulnerability http://forum.joomla.org/viewtopic.php?f=296&t=81064 |
Page 1 of 1 |
| Author: | Elpie [ Sat Jul 29, 2006 1:50 am ] |
| Post subject: | [PATCH AVAIL.] JD-WordPress Vulnerability |
Remote file inclusion vulnerability. JD-WordPress for Joomla is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input. An attacker can exploit these issues to include arbitrary remote files containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and to gain access to the underlying system. Version 2.0-1.0 RC2 is vulnerable to these issues; prior versions may also be affected. The developer has been notified. |
|
| Author: | Predator [ Sat Jul 29, 2006 9:38 am ] |
| Post subject: | Re: JD-WordPress Vulnerability |
Thanks Elpie and as i told i have probs to reproduce this, maybe RobS can check this, and if why i have probs to reproduce this, thanks in Advance. |
|
| Author: | dsendecki [ Mon Jul 31, 2006 4:05 am ] |
| Post subject: | Re: JD-WordPress Vulnerability |
Has there been any headway made with uncovering this vulnerability? This has me greatly concerned! |
|
| Author: | Elpie [ Mon Jul 31, 2006 4:51 am ] |
| Post subject: | Re: JD-WordPress Vulnerability |
The exploits that have been published both appear to rely on register_globals being on. If you have register_globals off and are not running globals emulation 1 (globals.php in Joomla) you should be fine. While I personally wouldnt use htaccess to block attempts, RobS's htaccess will also block any attempts to exploit JD-Wordpress. |
|
| Author: | RobS [ Mon Jul 31, 2006 8:32 am ] |
| Post subject: | Re: JD-WordPress Vulnerability |
Joomla!'s RG emulation is probably safe as it does a fair job of sanitizing input but I haven't thouroughly tested it myself, just browed through it a bit. |
|
| Author: | Predator [ Mon Jul 31, 2006 3:26 pm ] |
| Post subject: | Re: JD-WordPress Vulnerability |
Well have tested now during the weekend local with RG on and allow_furl on together with Joomla! 1.0.10 also on a webhosting of a friend with Rg on and allow_furl on and joomla! 1.0.10 and could not reproduce this but to avoid any constellation which may allow this i have made a patch where i replaced the call require_once( $mosConfig_absolute_path .'/components/com_jd-wp/wp-config.php' ); into require(dirname(__FILE__) . '/wp-config.php'); to be sure. If you normally have Rg off you should be save, as i was even with On not able to hack it with Joomla! 1.0.10 |
|
| Author: | RobS [ Tue Aug 01, 2006 6:59 am ] |
| Post subject: | Re: JD-WordPress Vulnerability |
Also added to the list with a link to your patch. |
|
| Author: | Vish [ Thu Aug 03, 2006 1:20 am ] |
| Post subject: | Re: JD-WordPress Vulnerability |
Marco I must say, you have done a gr8 job with this component. |
|
| Author: | Predator [ Thu Aug 03, 2006 1:38 am ] |
| Post subject: | Re: JD-WordPress Vulnerability |
Vish wrote: Marco I must say, you have done a gr8 job with this component. Thanks Vish  will added the next day the use of the permalink with joomla so jd-wp will have than also long URLs  the way the original WP has it. Is a customjob but i can release the code than to the comunity so everybody can use it 
|
|
| Author: | cmyksteve [ Sat Aug 05, 2006 3:00 am ] |
| Post subject: | Re: JD-WordPress Vulnerability |
RobS wrote: Also added to the list with a link to your patch. Hi RobS, I ran across your notice that JD-WordPress was on the Security Risk list, but I don't see the link to the patch you mention here. Please point me to it. Thanks, Steve |
|
| Author: | Predator [ Sat Aug 05, 2006 6:55 am ] |
| Post subject: | Re: JD-WordPress Vulnerability |
cmyksteve wrote: RobS wrote: Also added to the list with a link to your patch. Hi RobS, I ran across your notice that JD-WordPress was on the Security Risk list, but I don't see the link to the patch you mention here. Please point me to it. Thanks, Steve See the attachment in Reply #5 in this Thread
|
|
| Author: | duvien [ Thu Aug 17, 2006 12:10 pm ] |
| Post subject: | Re: [PATCH AVAIL.] JD-WordPress Vulnerability |
I've just patched JD-WP and the commenting system failed to work afterwards. But soon i realised there was a typo error on line 64: elseif ( !is_email($comment_author_email)) should have been: elseif ( !is_wp_email($comment_author_email)) Nothing major and apart from that everything else went smoothly. Thanks for the security patch  P.S. i have attached the patch here to inlcude the line above and nothing else. |
|
| Author: | Predator [ Thu Aug 17, 2006 12:16 pm ] |
| Post subject: | Re: [PATCH AVAIL.] JD-WordPress Vulnerability |
Opps sorry my fault  Thanks duvien for correcting this
|
|
| Author: | Samleo [ Wed Oct 24, 2007 7:21 pm ] |
| Post subject: | Re: [PATCH AVAIL.] JD-WordPress Vulnerability |
Hi, Where download the JD-Wordpress?? |
|
| Author: | karryberry [ Thu Dec 20, 2007 4:42 pm ] |
| Post subject: | Re: [PATCH AVAIL.] JD-WordPress Vulnerability |
what plugins are you using with the wordpress ap? |
|
| Author: | cmyksteve [ Thu Dec 20, 2007 5:19 pm ] |
| Post subject: | Re: [PATCH AVAIL.] JD-WordPress Vulnerability |
JD-WordPress is no longer supported. But a fork of this Joomla component called mojoBlog can be found on Joomlify.com mojoBlog is still in beta, running under Joomla 1.0.13 |
|
| Author: | panter011 [ Mon Feb 25, 2008 12:01 am ] |
| Post subject: | Re: [PATCH AVAIL.] JD-WordPress Vulnerability |
Hello it seams that the joomlify.com site is down. where else can I have this mojoblog component? thanks Javier |
|
| Author: | NateM [ Mon Feb 25, 2008 3:20 pm ] |
| Post subject: | Re: [PATCH AVAIL.] JD-WordPress Vulnerability |
I am also among the number of people who can't access the joomlify site. Anyone know what went down? It was fine a few days ago. |
|
| Author: | cmyksteve [ Mon Feb 25, 2008 4:37 pm ] |
| Post subject: | Re: [PATCH AVAIL.] JD-WordPress Vulnerability |
NateM wrote: ... Anyone know what went down? It was fine a few days ago. I'm sure Kevin will have Joomlify.com back up soon. The datacenter was having some issues but it looked like those were being addressed last week. I don't know what this current blackout was caused by, but waiting on files directly from Joomlify.com would be the best place to get current versions of mojoBlog (beta 0.16). |
|
| Author: | panter011 [ Mon Feb 25, 2008 6:34 pm ] |
| Post subject: | Re: [PATCH AVAIL.] JD-WordPress Vulnerability |
ok, hope it will be soon, thank you! anyway do you know any alternative download page? thanks Javier |
|
| Author: | cmyksteve [ Tue Feb 26, 2008 12:55 am ] |
| Post subject: | Re: [PATCH AVAIL.] JD-WordPress Vulnerability |
Joomlify.com is back up. Here's a link to the current version of mojoBlog from the download area- http://www.joomlify.com/component/optio ... Itemid,53/ |
|
| Page 1 of 1 | All times are UTC |
| Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/ |
|