While designing some security around my new site, I started testing for vulnerabilities and came across something a little concerning.
The built-in RSS feed component does not appear to like addition characters injected in the URL.
For example, I accessed my RSS feed as usual, but this time I added a few chars to the syntax of the request: http://[SITE]/?format=feed&type=%2527%2522
You are then presented with a nice tidbit of info regarding the servers root directory structure:
Code:
jos-Error: Unable to load renderer class
JSite -> render() @ /home[OMITTED]/html/index.php:48
JDocumentFeed -> render() @ /home[OMITTED]/html/includes/application.php:271
JDocument -> loadRenderer() @ /home[OMITTED]/html/libraries/joomla/document/feed/feed.php:201
JError :: raiseError() @ /home[OMITTED]/html/libraries/joomla/document/document.php:926
JError :: raise() @ /home[OMITTED]/html/libraries/joomla/error/error.php:251
JError :: throwError() @ /home[OMITTED]/html/libraries/joomla/error/error.php:176
call_user_func_array() @ /home[OMITTED]/html/libraries/joomla/error/error.php:214
JError :: handleCallback()
call_user_func() @ /home[OMITTED]/html/libraries/joomla/error/error.php:765
plgSystemQlue404 :: handleError()
JDocumentFeed -> render() @ /home[OMITTED]/html/plugins/system/qlue404/qlue404.php:122
JDocument -> loadRenderer() @ /home[OMITTED]/html/libraries/joomla/document/feed/feed.php:201
JError :: raiseError() @ /home[OMITTED]/html/libraries/joomla/document/document.php:926
JError :: raise() @ /home[OMITTED]/html/libraries/joomla/error/error.php:251
At first glance a person might say this is an issue with the Qlue404 plugin, however a quick search agains a different server quickly shows this may be relative to Custom Error Page plugins in general:
Code:
jos-Error: Unable to load renderer class
JSite -> dispatch() @ /home[OMITTED]public_html/index.php:42
JComponentHelper :: renderComponent() @ /home[OMITTED]public_html/includes/application.php:197
JComponentHelper :: executeComponent() @ /home[OMITTED]public_html/libraries/joomla/application/component/helper.php:351
require_once() @ /home[OMITTED]public_html/libraries/joomla/application/component/helper.php:383
JController -> execute() @ /home[OMITTED]public_html/components/com_content/content.php:16
ContentController -> display() @ /home[OMITTED]public_html/libraries/joomla/application/component/controller.php:760
JController -> display() @ /home[OMITTED]public_html/components/com_content/controller.php:74
JController -> getView() @ /home[OMITTED]public_html/libraries/joomla/application/component/controller.php:677
JError :: raiseError() @ /home[OMITTED]public_html/libraries/joomla/application/component/controller.php:902
JError :: raise() @ /home[OMITTED]public_html/libraries/joomla/error/error.php:251
JError :: throwError() @ /home[OMITTED]public_html/libraries/joomla/error/error.php:176
call_user_func_array() @ /home[OMITTED]public_html/libraries/joomla/error/error.php:214
JError :: handleCallback()
call_user_func() @ /home[OMITTED]public_html/libraries/joomla/error/error.php:765
plgSystemRedirect :: handleError()
JError :: customErrorPage() @ /home[OMITTED]public_html/plugins/system/redirect/redirect.php:109
JDocumentError -> render() @ /home[OMITTED]public_html/libraries/joomla/error/error.php:798
JDocumentError -> _loadTemplate() @ /home[OMITTED]public_html/libraries/joomla/document/error/error.php:107
require_once() @ /home[OMITTED]public_html/libraries/joomla/document/error/error.php:135
JDocument -> loadRenderer() @ /home[OMITTED]public_html/templates/je-construct-pro/error.php:84
JError :: raiseError() @ /home[OMITTED]public_html/libraries/joomla/document/document.php:926
JError :: raise() @ /home[OMITTED]public_html/libraries/joomla/error/error.php:251
If you would like to see for yourself, run a quick query with the following term:
Code:
jos-Error: Unable to load renderer class JSite -> dispatch() @ /home
Please share your thoughts. I'm curious to see if anyone else has seen this issue before.
Current Joomla! version: 2.5.6
