The Joomla! Forum ™





Post new topic Reply to topic  [ 22 posts ] 
Author Message
PostPosted: Fri Aug 18, 2006 10:40 am 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Aug 18, 2005 1:33 pm
Posts: 108
Location: Sebastopol
Secunia Advisory: SA21545 Print Advisory 
Release Date: 2006-08-18

Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched

Software: JIM 1.x (component for Joomla)

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

Description:
XORON has discovered a vulnerability in the JIM component for Joomla, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "mosConfig_absolute_path" parameter in components/com_jim/install.jim.php is not properly verified, before it is used to include files. This can be exploited to include arbitrary files from external and local resources.

Successful exploitation requires that "register_globals" is enabled.

The vulnerability has been confirmed in version 1.0.1. Other versions may also be affected.

Solution:
Edit the source code to ensure that the input is properly verified.

Set "register_globals" to "Off".

Read more: http://secunia.com/advisories/21545/

_________________
Joomlaportal.ru News, articles and tutorials
Joomlaforum.ru Russian Joomla Support Forum
Member of the Russian Joomla Translation Team


Top
 Profile  
 
PostPosted: Fri Aug 18, 2006 11:31 am 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Tue Aug 30, 2005 9:11 pm
Posts: 551
Location: Aix-En-Provence, France
URGENT You can make JIM secured (for this point) by removing line 16 in install.jim.php:
Code:
require_once($mosConfig_absolute_path."/components/com_jim/readme.txt");


Any user who is victim of an attack using JIM will get free support on :
http://www.joomlation.eu (intl)
or
http://www.joomlation.org (fr)

_________________
May the forge be with you!
http://www.joomlation.eu (intl)
http://www.joomlation.org (fr)


Last edited by globule on Fri Aug 18, 2006 1:33 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Fri Aug 18, 2006 11:39 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Thu Aug 18, 2005 7:13 am
Posts: 16539
@globule. That was fast, good to read. Just sent you an email five minutes ago.

_________________
Joomla forum global moderator.

Have fun


Top
 Profile  
 
PostPosted: Fri Aug 18, 2006 12:01 pm 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Tue Aug 30, 2005 9:11 pm
Posts: 551
Location: Aix-En-Provence, France
I subscribed to Secunia a few days ago! :P
I was cooking for my children when I've been informed >:(

Thanks for the information anyway! ;)

All "Come on... Joomla!" members informed using the newsletter. As this site will soon close, my efforts (Jim included) goes to Joomlation.

Here is the patched file for users. Use FTP to update /administrator/components/com_jim/install.jim.php
You don't need to remove JIM. If you do so, you will loose ALL messages
(This is already corrected for next version)

The patch is also available on Joomlation.eu


You do not have the required permissions to view the files attached to this post.

_________________
May the forge be with you!
http://www.joomlation.eu (intl)
http://www.joomlation.org (fr)


Last edited by globule on Fri Aug 18, 2006 1:52 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Fri Aug 18, 2006 12:18 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Thu Aug 18, 2005 10:40 pm
Posts: 466
Location: las vegas USA
http://www.joomlation.eu/

Forbidden
You don't have permission to access / on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

_________________
joomla 1.6 Türk destek sitesi http://www.joomlaturk.net/


Top
 Profile  
 
PostPosted: Fri Aug 18, 2006 12:24 pm 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Tue Aug 30, 2005 9:11 pm
Posts: 551
Location: Aix-En-Provence, France
It works for me!
Where are you from?

_________________
May the forge be with you!
http://www.joomlation.eu (intl)
http://www.joomlation.org (fr)


Top
 Profile  
 
PostPosted: Fri Aug 18, 2006 12:41 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Jan 12, 2006 12:45 am
Posts: 11
Location: Westland, MI
Well, I had people from 14 different countries do a google search on inurl:com_jim and they tagged me good.  My site is completely down for now.

Luckily for me I was at the top of the google search (mixed blessing).  :(

Scott
http://www.shutchi2.com


Top
 Profile  
 
PostPosted: Fri Aug 18, 2006 12:57 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Thu Aug 18, 2005 10:40 pm
Posts: 466
Location: las vegas USA
globule wrote:
It works for me!
Where are you from?


of course it works for you !!

I am from İstanbul Turkey.
most likely you banned all the Turkish IPs.

I am fed up arguing about this subject.... I'd gave up !!!

you guys do whatever makes you happy... I have respect to your decision.

I can connect to http://www.joomlation.org/ but my french sucks !

EDİT
thanks for removing IP ban globule..
I'd appreciated your decision.

_________________
joomla 1.6 Türk destek sitesi http://www.joomlaturk.net/


Last edited by Anonymous on Fri Aug 18, 2006 1:26 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Fri Aug 18, 2006 1:05 pm 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Tue Aug 30, 2005 9:11 pm
Posts: 551
Location: Aix-En-Provence, France
Now JIM has been attacked, the whole site can be considered has tested and safe (I hope...)
So this filter will soon be removed. I'm sorry I had to take such a decision...

_________________
May the forge be with you!
http://www.joomlation.eu (intl)
http://www.joomlation.org (fr)


Top
 Profile  
 
PostPosted: Fri Aug 18, 2006 1:12 pm 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Tue Aug 30, 2005 9:11 pm
Posts: 551
Location: Aix-En-Provence, France
shutchi2 wrote:
Well, I had people from 14 different countries do a google search on inurl:com_jim and they tagged me good.  My site is completely down for now.

Luckily for me I was at the top of the google search (mixed blessing).  :(

Scott
http://www.shutchi2.com

Is it down because you've been hacked?

_________________
May the forge be with you!
http://www.joomlation.eu (intl)
http://www.joomlation.org (fr)


Top
 Profile  
 
PostPosted: Fri Aug 18, 2006 1:16 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Jan 12, 2006 12:45 am
Posts: 11
Location: Westland, MI
It appears that way, but I'm going through logs right now to figure out what happened.  I'm on the console and the server is working but it looks like some files were modified.  Keeping it offline until I figure out what got changed.


Top
 Profile  
 
PostPosted: Fri Aug 18, 2006 1:26 pm 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Tue Aug 30, 2005 9:11 pm
Posts: 551
Location: Aix-En-Provence, France
You can get the list of all your files sorted by last modification date on joomlation.eu : filist.php
Once you get this list, remove this script...

_________________
May the forge be with you!
http://www.joomlation.eu (intl)
http://www.joomlation.org (fr)


Top
 Profile  
 
PostPosted: Fri Aug 18, 2006 1:41 pm 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Tue Aug 30, 2005 9:11 pm
Posts: 551
Location: Aix-En-Provence, France
shutchi2 wrote:
Well, I had people from 14 different countries do a google search on inurl:com_jim and they tagged me good.

Thanks to remind me this function!
I contacted all sites listed (2 pages) except one having no information about how to do so : http://www.infopyme.com.py

I also noticed many of the versions used on these sites are not up to date... This will be token in consideration for next version.

This forum url has been sent to Secunia as source for the patch.

Thanks a lot to joomla.org and its community to keep users informed so fast.

_________________
May the forge be with you!
http://www.joomlation.eu (intl)
http://www.joomlation.org (fr)


Top
 Profile  
 
PostPosted: Fri Aug 18, 2006 1:42 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Thu Aug 18, 2005 10:40 pm
Posts: 466
Location: las vegas USA
globule wrote:
You can get the list of all your files sorted by last modification date on joomlation.eu : filist.php
Once you get this list, remove this script...


I urge every joomla user to utilize filist.php tool.

it takes 2 seconds to find hacker scripts in your server with this method.
anybody that uploaded shell scripts will show at the top of the list.
simple just remove them ( DO NOT DOWNLOAD )
your anti virus program will give virus alert if you try to download.

_________________
joomla 1.6 Türk destek sitesi http://www.joomlaturk.net/


Top
 Profile  
 
PostPosted: Fri Aug 18, 2006 1:43 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Jan 12, 2006 12:45 am
Posts: 11
Location: Westland, MI
Found a php.haxplore file that was recently added, looking for info on it...anyone familiar with this?  ???


Top
 Profile  
 
PostPosted: Fri Aug 18, 2006 2:22 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Jan 12, 2006 12:45 am
Posts: 11
Location: Westland, MI
Well I'm back up and patched, my AV went nuts with the php.haxplore file so I deleted it.  Thanks for your help everyone, and that filist.php script works great!

Scott


Top
 Profile  
 
PostPosted: Fri Aug 18, 2006 2:27 pm 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Tue Aug 30, 2005 9:11 pm
Posts: 551
Location: Aix-En-Provence, France
Don't forget to remove it!

Was Jim used to upload the file? What the logs told you?

_________________
May the forge be with you!
http://www.joomlation.eu (intl)
http://www.joomlation.org (fr)


Top
 Profile  
 
PostPosted: Fri Aug 18, 2006 2:34 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Jan 12, 2006 12:45 am
Posts: 11
Location: Westland, MI
The logs didn't tell me what they used to upload it, just where it came from (proxy).  Sometimes win32 servers leave something to be desired...


Top
 Profile  
 
PostPosted: Thu Mar 29, 2007 1:26 am 
Joomla! Intern
Joomla! Intern

Joined: Thu Sep 08, 2005 6:37 am
Posts: 73
joomlaturk wrote:
globule wrote:
You can get the list of all your files sorted by last modification date on joomlation.eu : filist.php
Once you get this list, remove this script...


I urge every joomla user to utilize filist.php tool.

it takes 2 seconds to find hacker scripts in your server with this method.
anybody that uploaded shell scripts will show at the top of the list.
simple just remove them ( DO NOT DOWNLOAD )
your anti virus program will give virus alert if you try to download.

But can you tell a novice exactly how you use the filist.php tool? Do you uploade it to your server - where???




Top
 Profile  
 
PostPosted: Thu Jan 22, 2009 3:34 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Sep 02, 2005 12:17 pm
Posts: 31
filist.php doesn't seem to be available from joomlation.eu

Any alternative tool or source?


Top
 Profile  
 
PostPosted: Thu Jan 22, 2009 8:32 pm 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Tue Aug 30, 2005 9:11 pm
Posts: 551
Location: Aix-En-Provence, France
trebso wrote:
filist.php doesn't seem to be available from joomlation.eu

Any alternative tool or source?

Of course it is !
http://joomlation.eu/index.php?option=c ... &Itemid=35

_________________
May the forge be with you!
http://www.joomlation.eu (intl)
http://www.joomlation.org (fr)


Top
 Profile  
 
PostPosted: Thu Jan 22, 2009 8:51 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Sep 02, 2005 12:17 pm
Posts: 31
My mistake - I searched for filist.php not filist.

Thanks


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 22 posts ] 



Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group