Page 1 of 1

Joomla JIM Component File Inclusion Vulnerability

Posted: Fri Aug 18, 2006 10:40 am
by smart
Secunia Advisory: SA21545 Print Advisory 
Release Date: 2006-08-18

Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched

Software: JIM 1.x (component for Joomla)

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

Description:
XORON has discovered a vulnerability in the JIM component for Joomla, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "mosConfig_absolute_path" parameter in components/com_jim/install.jim.php is not properly verified, before it is used to include files. This can be exploited to include arbitrary files from external and local resources.

Successful exploitation requires that "register_globals" is enabled.

The vulnerability has been confirmed in version 1.0.1. Other versions may also be affected.

Solution:
Edit the source code to ensure that the input is properly verified.

Set "register_globals" to "Off".

Read more: http://secunia.com/advisories/21545/

Re : Joomla JIM Component File Inclusion Vulnerability

Posted: Fri Aug 18, 2006 11:31 am
by globule
URGENT You can make JIM secured (for this point) by removing line 16 in install.jim.php:

Code: Select all

require_once($mosConfig_absolute_path."/components/com_jim/readme.txt");
Any user who is victim of an attack using JIM will get free support on :
http://www.joomlation.eu (intl)
or
http://www.joomlation.org (fr)

Re: Joomla JIM Component File Inclusion Vulnerability

Posted: Fri Aug 18, 2006 11:39 am
by Tonie
@globule. That was fast, good to read. Just sent you an email five minutes ago.

Re : Joomla JIM Component File Inclusion Vulnerability

Posted: Fri Aug 18, 2006 12:01 pm
by globule
I subscribed to Secunia a few days ago! :P
I was cooking for my children when I've been informed >:(

Thanks for the information anyway! ;)

All "Come on... Joomla!" members informed using the newsletter. As this site will soon close, my efforts (Jim included) goes to Joomlation.

Here is the patched file for users. Use FTP to update /administrator/components/com_jim/install.jim.php
You don't need to remove JIM. If you do so, you will loose ALL messages
(This is already corrected for next version)

The patch is also available on Joomlation.eu

Re: Joomla JIM Component File Inclusion Vulnerability

Posted: Fri Aug 18, 2006 12:18 pm
by joomlaturk
http://www.joomlation.eu/

Forbidden
You don't have permission to access / on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

Re : Joomla JIM Component File Inclusion Vulnerability

Posted: Fri Aug 18, 2006 12:24 pm
by globule
It works for me!
Where are you from?

Re: Joomla JIM Component File Inclusion Vulnerability

Posted: Fri Aug 18, 2006 12:41 pm
by shutchi2
Well, I had people from 14 different countries do a google search on inurl:com_jim and they tagged me good.  My site is completely down for now.

Luckily for me I was at the top of the google search (mixed blessing).  :(

Scott
http://www.shutchi2.com

Re: Re : Joomla JIM Component File Inclusion Vulnerability

Posted: Fri Aug 18, 2006 12:57 pm
by joomlaturk
globule wrote: It works for me!
Where are you from?
of course it works for you !!

I am from İstanbul Turkey.
most likely you banned all the Turkish IPs.

I am fed up arguing about this subject.... I'd gave up !!!

you guys do whatever makes you happy... I have respect to your decision.

I can connect to http://www.joomlation.org/ but my french sucks !

EDİT
thanks for removing IP ban globule..
I'd appreciated your decision.

Re : Joomla JIM Component File Inclusion Vulnerability

Posted: Fri Aug 18, 2006 1:05 pm
by globule
Now JIM has been attacked, the whole site can be considered has tested and safe (I hope...)
So this filter will soon be removed. I'm sorry I had to take such a decision...

Re : Re: Joomla JIM Component File Inclusion Vulnerability

Posted: Fri Aug 18, 2006 1:12 pm
by globule
shutchi2 wrote: Well, I had people from 14 different countries do a google search on inurl:com_jim and they tagged me good.  My site is completely down for now.

Luckily for me I was at the top of the google search (mixed blessing).  :(

Scott
http://www.shutchi2.com
Is it down because you've been hacked?

Re: Joomla JIM Component File Inclusion Vulnerability

Posted: Fri Aug 18, 2006 1:16 pm
by shutchi2
It appears that way, but I'm going through logs right now to figure out what happened.  I'm on the console and the server is working but it looks like some files were modified.  Keeping it offline until I figure out what got changed.

Re : Joomla JIM Component File Inclusion Vulnerability

Posted: Fri Aug 18, 2006 1:26 pm
by globule
You can get the list of all your files sorted by last modification date on joomlation.eu : filist.php
Once you get this list, remove this script...

Re : Re: Joomla JIM Component File Inclusion Vulnerability

Posted: Fri Aug 18, 2006 1:41 pm
by globule
shutchi2 wrote: Well, I had people from 14 different countries do a google search on inurl:com_jim and they tagged me good.
Thanks to remind me this function!
I contacted all sites listed (2 pages) except one having no information about how to do so : http://www.infopyme.com.py

I also noticed many of the versions used on these sites are not up to date... This will be token in consideration for next version.

This forum url has been sent to Secunia as source for the patch.

Thanks a lot to joomla.org and its community to keep users informed so fast.

Re: Re : Joomla JIM Component File Inclusion Vulnerability

Posted: Fri Aug 18, 2006 1:42 pm
by joomlaturk
globule wrote: You can get the list of all your files sorted by last modification date on joomlation.eu : filist.php
Once you get this list, remove this script...
I urge every joomla user to utilize filist.php tool.

it takes 2 seconds to find hacker scripts in your server with this method.
anybody that uploaded shell scripts will show at the top of the list.
simple just remove them ( DO NOT DOWNLOAD )
your anti virus program will give virus alert if you try to download.

Re: Joomla JIM Component File Inclusion Vulnerability

Posted: Fri Aug 18, 2006 1:43 pm
by shutchi2
Found a php.haxplore file that was recently added, looking for info on it...anyone familiar with this?  ???

Re: Joomla JIM Component File Inclusion Vulnerability

Posted: Fri Aug 18, 2006 2:22 pm
by shutchi2
Well I'm back up and patched, my AV went nuts with the php.haxplore file so I deleted it.  Thanks for your help everyone, and that filist.php script works great!

Scott

Re : Joomla JIM Component File Inclusion Vulnerability

Posted: Fri Aug 18, 2006 2:27 pm
by globule
Don't forget to remove it!

Was Jim used to upload the file? What the logs told you?

Re: Joomla JIM Component File Inclusion Vulnerability

Posted: Fri Aug 18, 2006 2:34 pm
by shutchi2
The logs didn't tell me what they used to upload it, just where it came from (proxy).  Sometimes win32 servers leave something to be desired...

Re: Re : Joomla JIM Component File Inclusion Vulnerability

Posted: Thu Mar 29, 2007 1:26 am
by tschier
joomlaturk wrote:
globule wrote: You can get the list of all your files sorted by last modification date on joomlation.eu : filist.php
Once you get this list, remove this script...
I urge every joomla user to utilize filist.php tool.

it takes 2 seconds to find hacker scripts in your server with this method.
anybody that uploaded shell scripts will show at the top of the list.
simple just remove them ( DO NOT DOWNLOAD )
your anti virus program will give virus alert if you try to download.

But can you tell a novice exactly how you use the filist.php tool? Do you uploade it to your server - where???


Re: Joomla JIM Component File Inclusion Vulnerability

Posted: Thu Jan 22, 2009 3:34 pm
by trebso
filist.php doesn't seem to be available from joomlation.eu

Any alternative tool or source?

Re: Joomla JIM Component File Inclusion Vulnerability

Posted: Thu Jan 22, 2009 8:32 pm
by globule
trebso wrote:filist.php doesn't seem to be available from joomlation.eu

Any alternative tool or source?
Of course it is !
http://joomlation.eu/index.php?option=c ... &Itemid=35

Re: Joomla JIM Component File Inclusion Vulnerability

Posted: Thu Jan 22, 2009 8:51 pm
by trebso
My mistake - I searched for filist.php not filist.

Thanks