Joomla! Discussion Forums

Secunia Advisory: SA21545 Print Advisory 
Release Date: 2006-08-18

Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched

Software: JIM 1.x (component for Joomla)

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

Description:
XORON has discovered a vulnerability in the JIM component for Joomla, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "mosConfig_absolute_path" parameter in components/com_jim/install.jim.php is not properly verified, before it is used to include files. This can be exploited to include arbitrary files from external and local resources.

Successful exploitation requires that "register_globals" is enabled.

The vulnerability has been confirmed in version 1.0.1. Other versions may also be affected.

Solution:
Edit the source code to ensure that the input is properly verified.

Set "register_globals" to "Off".

Read more: http://secunia.com/advisories/21545/

URGENT You can make JIM secured (for this point) by removing line 16 in install.jim.php:


Any user who is victim of an attack using JIM will get free support on :
http://www.joomlation.eu (intl)
or
http://www.joomlation.org (fr)

@globule. That was fast, good to read. Just sent you an email five minutes ago.

I subscribed to Secunia a few days ago!
I was cooking for my children when I've been informed

Thanks for the information anyway!

All "Come on... Joomla!" members informed using the newsletter. As this site will soon close, my efforts (Jim included) goes to Joomlation.

Here is the patched file for users. Use FTP to update /administrator/components/com_jim/install.jim.php
You don't need to remove JIM. If you do so, you will loose ALL messages(This is already corrected for next version)

The patch is also available on Joomlation.eu

http://www.joomlation.eu/

Forbidden
You don't have permission to access / on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

It works for me!
Where are you from?

Well, I had people from 14 different countries do a google search on inurl:com_jim and they tagged me good.  My site is completely down for now.

Luckily for me I was at the top of the google search (mixed blessing). 

Scott
http://www.shutchi2.com

of course it works for you !!

I am from İstanbul Turkey.
most likely you banned all the Turkish IPs.

I am fed up arguing about this subject.... I'd gave up !!!

you guys do whatever makes you happy... I have respect to your decision.

I can connect to http://www.joomlation.org/ but my french sucks !

EDİT
thanks for removing IP ban globule..
I'd appreciated your decision.

Now JIM has been attacked, the whole site can be considered has tested and safe (I hope...)
So this filter will soon be removed. I'm sorry I had to take such a decision...

Is it down because you've been hacked?

It appears that way, but I'm going through logs right now to figure out what happened.  I'm on the console and the server is working but it looks like some files were modified.  Keeping it offline until I figure out what got changed.

You can get the list of all your files sorted by last modification date on joomlation.eu : filist.php
Once you get this list, remove this script...

Thanks to remind me this function!
I contacted all sites listed (2 pages) except one having no information about how to do so : http://www.infopyme.com.py

I also noticed many of the versions used on these sites are not up to date... This will be token in consideration for next version.

This forum url has been sent to Secunia as source for the patch.

Thanks a lot to joomla.org and its community to keep users informed so fast.

I urge every joomla user to utilize filist.php tool.

it takes 2 seconds to find hacker scripts in your server with this method.
anybody that uploaded shell scripts will show at the top of the list.
simple just remove them ( DO NOT DOWNLOAD )
your anti virus program will give virus alert if you try to download.

Found a php.haxplore file that was recently added, looking for info on it...anyone familiar with this? 

Well I'm back up and patched, my AV went nuts with the php.haxplore file so I deleted it.  Thanks for your help everyone, and that filist.php script works great!

Scott

Don't forget to remove it!

Was Jim used to upload the file? What the logs told you?

The logs didn't tell me what they used to upload it, just where it came from (proxy).  Sometimes win32 servers leave something to be desired...

filist.php doesn't seem to be available from joomlation.eu

Any alternative tool or source?

Of course it is !
http://joomlation.eu/index.php?option=c ... &Itemid=35

My mistake - I searched for filist.php not filist.

Thanks