Vulnerability List last 3 months from NVD - US Gov.

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2727
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Vulnerability List last 3 months from NVD - US Gov.

Postby PhilD » Fri Oct 30, 2009 6:23 pm

In light of discussions such as viewtopic.php?f=432&t=411032 and viewtopic.php?f=432&t=445638 among others, here is a list (kind of long - 38 results) of vulnerabilities to some 3rd party Joomla components discovered in the last 3 months. This data is from the National Vulnerability Database run by the US Government. http://web.nvd.nist.gov/view/vuln/search?cid=1

Results are from the vulnerability keyword search (above url) using joomla as the keyword. Results are from last 3 months. I included the summary of the vulnerability for each.

If you are using one of these affected components on your site, update it to the latest version or completely remove the component (and it's files) from your site if there is no update or patch.

CVE-2009-3822

Summary: PHP remote file inclusion vulnerability in Fiji Web Design Ajax Chat (com_ajaxchat) component 1.0 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[mosConfig_absolute_path] parameter to tests/ajcuser.php.
Published: 10/28/2009
CVSS Severity: 7.5 (HIGH)

CVE-2009-3817

Summary: PHP remote file inclusion vulnerability in doc/releasenote.php in the BookLibrary (com_booklibrary) component 1.0 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter, a different vector than CVE-2009-2637. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published: 10/28/2009
CVSS Severity: 7.5 (HIGH)

CVE-2009-3669

Summary: SQL injection vulnerability in the foobla Suggestions (com_foobla_suggestions) component 1.5.11 for Joomla! allows remote attackers to execute arbitrary SQL commands via the idea_id parameter to index.php.
Published: 10/11/2009
CVSS Severity: 7.5 (HIGH)

CVE-2009-3661

Summary: Multiple SQL injection vulnerabilities in the DJ-Catalog (com_djcatalog) component for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in a showItem action and (2) cid parameter in a show action to index.php.
Published: 10/11/2009
CVSS Severity: 6.8 (MEDIUM)

CVE-2009-3645

Summary: SQL injection vulnerability in the JoomlaCache CB Resume Builder (com_cbresumebuilder) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the group_id parameter in a group_members action to index.php.
Published: 10/09/2009
CVSS Severity: 7.5 (HIGH)

CVE-2009-3644

Summary: SQL injection vulnerability in the Soundset (com_soundset) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cat_id parameter to index.php.
Published: 10/09/2009
CVSS Severity: 7.5 (HIGH)


CVE-2009-3491

Summary: SQL injection vulnerability in the Kinfusion SportFusion (com_sportfusion) component 0.2.2 through 0.2.3 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cid[0] parameter in a teamdetail action to index.php.
Published: 09/30/2009
CVSS Severity: 7.5 (HIGH)


CVE-2009-3481

Summary: A certain interface in the iCRM Basic (com_icrmbasic) component 1.4.2.31 for Joomla! does not require administrative authentication, which has unspecified impact and remote attack vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published: 09/30/2009
CVSS Severity: 7.5 (HIGH)

CVE-2009-3480

Summary: SQL injection vulnerability in the iCRM Basic (com_icrmbasic) component 1.4.2.31 for Joomla! allows remote attackers to execute arbitrary SQL commands via the p3 parameter to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published: 09/30/2009
CVSS Severity: 7.5 (HIGH)

CVE-2009-3446

Summary: SQL injection vulnerability in the MyRemote Video Gallery (com_mytube) component 1.0 Beta for Joomla! allows remote attackers to execute arbitrary SQL commands via the user_id parameter in a videos action to index.php.
Published: 09/28/2009
CVSS Severity: 7.5 (HIGH)

CVE-2009-3443

Summary: SQL injection vulnerability in the Fastball (com_fastball) component 1.1.0 through 1.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the league parameter to index.php.
Published: 09/28/2009
CVSS Severity: 7.5 (HIGH)

CVE-2009-3438

Summary: SQL injection vulnerability in the JoomlaFacebook (com_facebook) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a student action to index.php.
Published: 09/28/2009
CVSS Severity: 7.5 (HIGH)

CVE-2009-3434

Summary: SQL injection vulnerability in the Tupinambis (com_tupinambis) component 1.0 for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the proyecto parameter in a verproyecto action to index.php.
Published: 09/28/2009
CVSS Severity: 7.5 (HIGH)

CVE-2009-3417

Summary: SQL injection vulnerability in the IDoBlog (com_idoblog) component 1.1 build 30 for Joomla! allows remote attackers to execute arbitrary SQL commands via the userid parameter in a profile action to index.php, a different vector than CVE-2008-2627.
Published: 09/25/2009
CVSS Severity: 7.5 (HIGH)

CVE-2009-3368

Summary: Cross-site scripting (XSS) vulnerability in the Hotel Booking Reservation System (aka HBS or com_hbssearch) component for Joomla! allows remote attackers to inject arbitrary web script or HTML via the adult parameter in a showhoteldetails action to index.php.
Published: 09/24/2009
CVSS Severity: 4.3 (MEDIUM)

CVE-2009-3357

Summary: Multiple SQL injection vulnerabilities in the Hotel Booking Reservation System (aka HBS or com_hbssearch) component for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) h_id, (2) id, and (3) rid parameters to longDesc.php, and the h_id parameter to (4) detail.php, (5) detail1.php, (6) detail2.php, (7) detail3.php, (8) detail4.php, (9) detail5.php, (10) detail6.php, (11) detail7.php, and (12) detail8.php, different vectors than CVE-2008-5865, CVE-2008-5874, and CVE-2008-5875.
Published: 09/24/2009
CVSS Severity: 7.5 (HIGH)

CVE-2009-3342

Summary: SQL injection vulnerability in frontend/assets/ajax/checkusername.php in the AlphaUserPoints (com_alphauserpoints) component 1.5.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the username2points parameter.
Published: 09/24/2009
CVSS Severity: 7.5 (HIGH)

CVE-2009-3335

Summary: SQL injection vulnerability in the TurtuShout component 0.11 for Joomla! allows remote attackers to execute arbitrary SQL commands via the Name field.
Published: 09/24/2009
CVSS Severity: 7.5 (HIGH)

CVE-2009-3334

Summary: SQL injection vulnerability in the Lhacky! Extensions Cave Joomla! Integrated Newsletters Component (aka JINC or com_jinc) component 0.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the newsid parameter in a messages action to index.php.
Published: 09/23/2009
CVSS Severity: 7.5 (HIGH)

CVE-2009-3332

Summary: SQL injection vulnerability in the JBudgetsMagic (com_jbudgetsmagic) component 0.3.2 through 0.4.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the bid parameter in a mybudget action to index.php.
Published: 09/23/2009
CVSS Severity: 7.5 (HIGH)

CVE-2009-3325

Summary: SQL injection vulnerability in the Focusplus Developments Survey Manager (com_surveymanager) component 1.5.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the stype parameter in an editsurvey action to index.php.
Published: 09/23/2009
CVSS Severity: 7.5 (HIGH)
CVE-2009-3318

Summary: Directory traversal vulnerability in the Roland Breedveld Album (com_album) component 1.14 for Joomla! allows remote attackers to access arbitrary directories and have unspecified other impact via a .. (dot dot) in the target parameter to index.php.
Published: 09/23/2009
CVSS Severity: 7.5 (HIGH)

CVE-2009-3316

Summary: SQL injection vulnerability in the JReservation (com_jreservation) component 1.0 and 1.5 for Joomla! allows remote attackers to execute arbitrary SQL commands via the pid parameter in a propertycpanel action to index.php.
Published: 09/23/2009
CVSS Severity: 7.5 (HIGH)

CVE-2009-3215

Summary: SQL injection vulnerability in IXXO Cart Standalone before 3.9.6.1, and the IXXO Cart component for Joomla! 1.0.x, allows remote attackers to execute arbitrary SQL commands via the parent parameter.
Published: 09/16/2009
CVSS Severity: 7.5 (HIGH)

CVE-2009-3193

Summary: SQL injection vulnerability in the DigiFolio (com_digifolio) component 1.52 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a project action to index.php.
Published: 09/15/2009
CVSS Severity: 7.5 (HIGH)

CVE-2009-3155

Summary: Cross-site scripting (XSS) vulnerability in gmap.php in the Almond Classifieds (com_aclassf) component 7.5 for Joomla! allows remote attackers to inject arbitrary web script or HTML via the addr parameter.
Published: 09/10/2009
CVSS Severity: 4.3 (MEDIUM)

CVE-2009-3154

Summary: SQL injection vulnerability in the Almond Classifieds (com_aclassf) component 7.5 for Joomla! allows remote attackers to execute arbitrary SQL commands via the replid parameter in a manw_repl add_form action to index.php, a different vector than CVE-2009-2567.
Published: 09/10/2009
CVSS Severity: 7.5 (HIGH)

CVE-2008-7169

Summary: SQL injection vulnerability in Jabode horoscope extension (com_jabode) for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a sign task to index.php.
Published: 09/08/2009
CVSS Severity: 7.5 (HIGH)

CVE-2009-3063

Summary: SQL injection vulnerability in the Game Server (com_gameserver) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a gamepanel action to index.php.
Published: 09/03/2009
CVSS Severity: 7.5 (HIGH)

CVE-2009-3054

Summary: SQL injection vulnerability in the Artetics.com Art Portal (com_artportal) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the portalid parameter to index.php.
Published: 09/03/2009
CVSS Severity: 7.5 (HIGH)

CVE-2009-3053

Summary: Directory traversal vulnerability in the Agora (com_agora) component 3.0.0b for Joomla! allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the action parameter to the avatars page, reachable through index.php.
Published: 09/03/2009
CVSS Severity: 6.8 (MEDIUM)

CVE-2008-7033

Summary: SQL injection vulnerability in the Simple Shop Galore (com_simpleshop) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the section parameter in a section action to index.php, a different vulnerability than CVE-2008-2568. NOTE: this issue was disclosed by an unreliable researcher, so the details might be incorrect.
Published: 08/24/2009
CVSS Severity: 7.5 (HIGH)

CVE-2009-2789

Summary: SQL injection vulnerability in the Permis (com_groups) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a list action to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published: 08/17/2009
CVSS Severity: 7.5 (HIGH)

CVE-2009-2782

Summary: SQL injection vulnerability in the JFusion (com_jfusion) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the Itemid parameter to index.php.
Published: 08/17/2009
CVSS Severity: 7.5 (HIGH)

CVE-2008-6923

Summary: SQL injection vulnerability in the content component (com_content) 1.0.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the Itemid parameter in a blogcategory action to index.php.
Published: 08/10/2009
CVSS Severity: 7.5 (HIGH)

CVE-2008-6883

Summary: SQL injection vulnerability in the Live Chat (com_livechat) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the last parameter to getChatRoom.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Published: 07/30/2009
CVSS Severity: 7.5 (HIGH)

CVE-2008-6882

Summary: Live Chat (com_livechat) component 1.0 for Joomla! allows remote attackers to use the xmlhttp.php script as an open HTTP proxy to hide network scanning activities or scan internal networks via a GET request with a full URL in the query string.
Published: 07/30/2009
CVSS Severity: 7.5 (HIGH)

CVE-2008-6881

Summary: Multiple SQL injection vulnerabilities in the Live Chat (com_livechat) component 1.0 for Joomla! allow remote attackers to execute arbitrary SQL commands via the last parameter to (1) getChat.php, (2) getChatRoom.php, and (3) getSavedChatRooms.php.
Published: 07/30/2009
CVSS Severity: 7.5 (HIGH)
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

User avatar
jeffchannell
Joomla! Ace
Joomla! Ace
Posts: 1964
Joined: Tue Jun 09, 2009 2:21 am
Location: WV
Contact:

Re: Vulnerability List last 3 months from NVD - US Gov.

Postby jeffchannell » Fri Oct 30, 2009 9:29 pm

w00t, I am responsible for finding CVE-2009-3342, CVE-2009-3335, CVE-2008-6883, CVE-2008-6882, and CVE-2008-6881 !!
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
καλλιστι

User avatar
fw116
Joomla! Ace
Joomla! Ace
Posts: 1365
Joined: Tue Sep 06, 2005 11:18 am
Location: Germany

Re: Vulnerability List last 3 months from NVD - US Gov.

Postby fw116 » Fri Oct 30, 2009 11:01 pm

a real impressive list...

:eek:

damn, i like my mod_security ....

User avatar
jeffchannell
Joomla! Ace
Joomla! Ace
Posts: 1964
Joined: Tue Jun 09, 2009 2:21 am
Location: WV
Contact:

Re: Vulnerability List last 3 months from NVD - US Gov.

Postby jeffchannell » Fri Oct 30, 2009 11:07 pm

fw116: only if your filters account for the attack vector. :D
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
καλλιστι

User avatar
fw116
Joomla! Ace
Joomla! Ace
Posts: 1365
Joined: Tue Sep 06, 2005 11:18 am
Location: Germany

Re: Vulnerability List last 3 months from NVD - US Gov.

Postby fw116 » Sat Oct 31, 2009 3:50 pm

jeffchannell wrote:fw116: only if your filters account for the attack vector. :D


well my brother always calls me mister paranoia(nothing allowed so far :D ) , so i guess the filters are on track :D

User avatar
Hazzaa
Joomla! Explorer
Joomla! Explorer
Posts: 342
Joined: Fri Nov 24, 2006 6:13 pm

Re: Vulnerability List last 3 months from NVD - US Gov.

Postby Hazzaa » Sun Nov 01, 2009 2:54 pm

FYI, Agora has been fixed. We also released a news announcement in reference to the attack
Good list by the way

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2727
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Vulnerability List last 3 months from NVD - US Gov.

Postby PhilD » Sun Nov 01, 2009 4:12 pm

Yes, I see that it is on the Extensions site. http://extensions.joomla.org/extensions ... forum/1891

Thanks for the update
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

User avatar
jeffchannell
Joomla! Ace
Joomla! Ace
Posts: 1964
Joined: Tue Jun 09, 2009 2:21 am
Location: WV
Contact:

Re: Vulnerability List last 3 months from NVD - US Gov.

Postby jeffchannell » Sun Nov 01, 2009 7:23 pm

@Hazzaa - I take it you guys fixed those other XSS issues I sent you re: 3.0.06?
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
καλλιστι

User avatar
Hazzaa
Joomla! Explorer
Joomla! Explorer
Posts: 342
Joined: Fri Nov 24, 2006 6:13 pm

Re: Vulnerability List last 3 months from NVD - US Gov.

Postby Hazzaa » Sun Nov 01, 2009 8:21 pm

When did you send?please email me. There is nothing I am aware of but would be great to know

User avatar
Hazzaa
Joomla! Explorer
Joomla! Explorer
Posts: 342
Joined: Fri Nov 24, 2006 6:13 pm

Re: Vulnerability List last 3 months from NVD - US Gov.

Postby Hazzaa » Sun Nov 01, 2009 8:26 pm

Thanks Jeff I just saw the PM now. Reply sent

User avatar
jeffchannell
Joomla! Ace
Joomla! Ace
Posts: 1964
Joined: Tue Jun 09, 2009 2:21 am
Location: WV
Contact:

Re: Vulnerability List last 3 months from NVD - US Gov.

Postby jeffchannell » Sun Nov 01, 2009 8:27 pm

I PMed you here on the J! forums, actually... PM me your email
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
καλλιστι

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 13704
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Vulnerability List last 3 months from NVD - US Gov.

Postby mandville » Wed Nov 04, 2009 5:43 pm

I have fiddled the list provided by Jeff with a few more and its currently in a construction page, before i merge it with the existing list.

(sensible) Comments please.
http://docs.joomla.org/Vulnerable_Extensions_List_oct

Hazza, is 3.0.7 the current unvulnberable version?


Edit to highlight the word construction
Last edited by mandville on Fri Nov 06, 2009 3:21 pm, edited 1 time in total.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}

User avatar
Hazzaa
Joomla! Explorer
Joomla! Explorer
Posts: 342
Joined: Fri Nov 24, 2006 6:13 pm

Re: Vulnerability List last 3 months from NVD - US Gov.

Postby Hazzaa » Wed Nov 04, 2009 5:50 pm

Jeff PM'ed me something that I still need to test. I have not confirmed this as of yet but will very in the next day or so. If it is in fact an issue, we will have it fixed tomorrow. We begin on it today

User avatar
Hazzaa
Joomla! Explorer
Joomla! Explorer
Posts: 342
Joined: Fri Nov 24, 2006 6:13 pm

Re: Vulnerability List last 3 months from NVD - US Gov.

Postby Hazzaa » Wed Nov 04, 2009 5:53 pm

Sorry, the one you have listed on the linked page was resolved in Agora 3.0.01 Stable. We are now at 3.0.07 (as you know)

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 13704
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Vulnerability List last 3 months from NVD - US Gov.

Postby mandville » Wed Nov 04, 2009 6:20 pm

Hazzaa wrote:Sorry, the one you have listed on the linked page was resolved in Agora 3.0.01 Stable. We are now at 3.0.07 (as you know)

thanks.. i will update after your feedback with PhilD & Jeff..
let me know and ill alter it, and the other info in there is current i believe. I have updated the link to point to the 3.0.7 download

edit to correct credits! (grovel) :-[
Last edited by mandville on Wed Nov 04, 2009 6:28 pm, edited 1 time in total.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2727
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Vulnerability List last 3 months from NVD - US Gov.

Postby PhilD » Wed Nov 04, 2009 6:20 pm

Good job fiddling with the list Mandville! Easy to read.
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 13704
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Vulnerability List last 3 months from NVD - US Gov.

Postby mandville » Thu Nov 05, 2009 3:16 am

and to be added today
CVE-2009-3835

Summary: SQL injection vulnerability in the JShop (com_jshop) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the pid parameter in a product action to index.php.
Published: 11/02/2009
CVSS Severity: 7.5 (HIGH)
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 13704
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Vulnerability List last 3 months from NVD - US Gov.

Postby mandville » Fri Nov 06, 2009 3:16 pm

I would like to clear up some very obvious confusions that seem to be causing panic across the Joomla community by people who don't read the whole topic.

PhilD compiled the list, i just reformatted it.
Likewise, i am not responsible for the list existing in the first place, all the information is out there on the web in PD.

I have rights on the docs.joomla.org pages to create articles and took the list and reformatted it for ease of use.
The page that i linked to earlier, despite having several Under Construction notices on it, has been taken as gospel by some people.
On this UNDER CONSTRUCTION PAGE there is a resolution column, where, if found or notified the resolution links will be placed.

I have been asked to remove some links to fixed vulnerabilities, some i have done or marked as resolved. However, the basis that a developer has fixed an issue doesn't mean a user has updated the software so i do not plan to remove the item for a good while after the issue is reported.

Also the fact that some of these users have been running to different forums posting scare stories or questions extension developers without checking this topic, the list instructions, or anything else first (like their own extension version number) is quite worrying. It has also been mentioned that the list is confusing. Can some one expand that point and explain how/why it is confusing?

I would like to thank the developers so far who have either responded in this post or contacted me to say the vulnerabilities were fixed.

P.S
And most people would a> not have taken this on, B> dropped it at the first sign of criticism
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}

User avatar
Hazzaa
Joomla! Explorer
Joomla! Explorer
Posts: 342
Joined: Fri Nov 24, 2006 6:13 pm

Re: Vulnerability List last 3 months from NVD - US Gov.

Postby Hazzaa » Fri Nov 06, 2009 3:32 pm

This will always happen mandville
Keep up the good work.

I sent an email to all my members but out of almost 150,000 downloads, I have a total of 8,000 members. I am quite sure I could not reach them all.

This will help spread the news

One thing you may want to consider is the far right column with the link to the fixed version is used the word "Fix" or "Download Fix"

This may help those that don't look, don't read and jump the gun to better understand that they can resolve the issue.
However you will still have a huge amount that will look at the first column and spread the news from there

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2727
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Vulnerability List last 3 months from NVD - US Gov.

Postby PhilD » Fri Nov 06, 2009 8:23 pm

As mandville has said I am the original compiler of the listings. She just formatted and incorporated the data onto the Joomla documentation site in such a way that it is easier to read and update. The vulnerable list mandville is revamping has been around for years, though we all tend to forget about it.

I applaud mandville for taking this project on, revamping the list and making the list more user friendly.

Comments::

While I like the idea of listing the current version of the product in the Resolved column, in the long run it may require less list maintenance if the words Get Newest Version or Get Update is used.

One other suggestion I would have is to make a perma link at the top of the security forum directly to the list.

Now to address some concerns that have been brought up about the data and the list.

There has been some concern the list is a scare tactic and may shy some people away who would otherwise use the component from installing and using it or create a flurry of posts on these forums and forums elsewhere about a problem that may have been corrected in a later version and does not exist anymore.

There also has been some concern that some of the listed data recently posted is old and that the component in question has had several revisions since the revision in question and should not have been listed.

The list was compiled from a public database and based on current listed data as of October 30, 2009. All summaries include the publish date to the Government database. I.E. when it was published publicly in the government database. This date has been included in the vulnerable component list.

Not all of the list came from me. With any listing there is a possibility of the data being somewhat dated because of the process involved in verifying the vulnerability. I do not know the time frame of this verification process, but the listed component versions did have an issue that was verified to get on the list in the first place. This includes beta versions of components if someone submitted the version.

I don't think that having a list of components that have a vulnerable version is a scare tactic especially when the information is already in the public domain.

I did say "If you are using one of these affected components on your site, update it to the latest version or completely remove the component (and it's files) from your site if there is no update or patch." I think that statement is a responsible and true statement. I did not make (nor was I accused of doing so) the forum post requesting removal of a particular component that was posted in a warning type format, but I am sure it did get peoples attention by way it was worded. I do think it is still policy that when informed and verified the extension site administrators
will remove the affected version of the extension.

The reason?
CMS users in general tend to install and forget until the site gets hacked. Many are inexperienced and know little about where to find reasonably good information to help them with an issue. It is good that the end user of a component becomes concerned, but I agree that many of those users will not check their version before posting to see if the version they are using is actually affected. Not much can be done about that though.

I don't think vulnerable versions of a component should be excluded or removed immediately from the list just because they are several versions older then current. Many do not keep their installs and components updated and I think the listed versions of the components should remain listed for awhile so we can refer people to check their versions against the list.

Removal after some predetermined time that can be agreed on here would be ok with me. I would suggest an average of 6 months. Remember a link, where available, is being provided to the latest version from the vulnerability listing.

I do hope developers will look over the list and provide a link to their newest component version if the issue with a component version has been resolved.
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

User avatar
jeffchannell
Joomla! Ace
Joomla! Ace
Posts: 1964
Joined: Tue Jun 09, 2009 2:21 am
Location: WV
Contact:

Re: Vulnerability List last 3 months from NVD - US Gov.

Postby jeffchannell » Fri Nov 06, 2009 9:06 pm

I say keep it, and preach it loud. If we try to downplay security risks, we're burying our heads in the sand.
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
καλλιστι

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 13704
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Vulnerability List last 3 months from NVD - US Gov.

Postby mandville » Mon Nov 09, 2009 8:17 pm

OK, if there are no other useful comments, then i will make the list currently at http://docs.joomla.org/index.php?title= ... s_List_oct the active one. i will request the page is moved to an active state to replace the existing OOD page.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 13704
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Vulnerability List last 3 months from NVD - US Gov.

Postby mandville » Mon Nov 09, 2009 9:57 pm

ok thanks to Dave,
the new "oct" list is now at http://docs.joomla.org/Vulnerable_Extensions_List
and the original old one is now at http://docs.joomla.org/Vulnerable_Extensions_List_(Archived)

i suppose that i will set up a new topic announcement for it.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}

User avatar
geekhead
Joomla! Intern
Joomla! Intern
Posts: 83
Joined: Mon May 21, 2007 2:44 am
Location: Connecticut USA
Contact:

Re: Vulnerability List last 3 months from NVD - US Gov.

Postby geekhead » Tue Nov 10, 2009 5:51 pm

in the original post Joomlacache was listed

the resume component was updated and secured within four days and the new version was made available immediately.

any one with a valid subscription, even if it has expired, is eligible to get the latest secured version.

FYI: we are also being removed from the IBM vulnerability list, that should happen in a day or so.
Joomla Extensions Development http://www.madeforjoomla.com and website help at http://www.911websiterepair.com

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 13704
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Vulnerability List last 3 months from NVD - US Gov.

Postby mandville » Tue Nov 10, 2009 6:09 pm

I have updated the vulnerable list to include the fix for the joomlacache extension
thanks for the report
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 13704
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Vulnerability List last 3 months from NVD - US Gov.

Postby mandville » Thu Nov 19, 2009 4:40 am

several more extensions have been added to the list, and some resolved. please visit it NOW.
thanks
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}

User avatar
mark_up
Joomla! Guru
Joomla! Guru
Posts: 849
Joined: Sun Oct 29, 2006 10:51 am
Location: Fiji
Contact:

Re: Vulnerability List last 3 months from NVD - US Gov.

Postby mark_up » Fri Nov 27, 2009 12:09 am

Hi mandville,

Thanks for maintaining the list.

Could you please add this link to a patch for the NinjaMonials 1.1 vulnerability.

Also, can we discuss why the date mentioned is "18 November 2009"?
The vulnerability was discovered in the deprecated version of NinjaMonials for Joomla 1.0. This discovery was made over three months ago, in August. A fix was released within 12hrs. Why not list the date of the original discovery (24/08/09). A correct date for both the vulnerability and the fix will more accurately reflect the current status of the extension as well as show how seriously (or not) the developers take security.

I would suggest also making it clear whether the vulnerable extension is for J1.0 or J1.5. Nobody shopping for a Testimonial extension today is going to be doing it for a J1.0 website, yet your listing doesn't explicitly state that only the J1.0 version was vulnerable. No J1.5 version of Ninjamonials has ever been found vulnerable.

Anyway, just wanted to post my thoughts. I would at the very least just like a link to the patched version added to your table.

Thanks
Mark
Last edited by mark_up on Fri Nov 27, 2009 4:29 am, edited 1 time in total.
http://twitter.com/mark_up.
Opinions expressed are mine alone and don't necessarily represent the views of any organisation I am associated with.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 13704
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Vulnerability List last 3 months from NVD - US Gov.

Postby mandville » Fri Nov 27, 2009 1:05 am

Hi I will break this into parts for ease of response if thats ok.

Thanks for maintaining the list.

Thats ok, someone has to do it, there is a little team of us, im just the face of it.
Could you please add to a patch for the NinjaMonials 1.1 vulnerability.

Done with the new version number noted
Also, can we discuss why the date mentioned is "18 November 2009"?

That was the date it was addded to the list, not the date of find or notification
I would suggest also making it clear whether the vulnerable extension is for J1.0 or J1.5.

I have added to make it clear the Joomla verion it was for
Nobody shopping for a Testimonial extension today is going to be doing it for a J1.0 website,
want to bet on that?! :p :eek:
No J1.5 version of Ninjamonials has ever been found vulnerable.

Great to hear that on all counts
Anyway, just wanted to post my thoughts. I would at the very least just like a link to the patched version added to your table.

we welcome all comments in an attempt to improve the list and hope/wish that some of the other dev's are as on the ball as you.
We also try to only list security advisory sites that don't have the download-able exploit to prevent other sites being "done over" as it were.
ps
[quote="GollumX"]Hi Mandy,[/code]
Sorry, I am not "Mandy" or any variation of Mandville ;D
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}

User avatar
mark_up
Joomla! Guru
Joomla! Guru
Posts: 849
Joined: Sun Oct 29, 2006 10:51 am
Location: Fiji
Contact:

Re: Vulnerability List last 3 months from NVD - US Gov.

Postby mark_up » Fri Nov 27, 2009 2:40 am

OMG for a split second as I was typing I wondered whether I was getting your name wrong. No idea why but I was almost certain that I had read either you call yourself or someone else call you Mandy somewhere else on this forum.
Sorry about that.

Thanks for the quick response :)

mandville wrote:
Nobody shopping for a Testimonial extension today is going to be doing it for a J1.0 website
want to bet on that?! :p :eek:


I shall decline this bet :p

Thanks again
-Mark
Last edited by mark_up on Fri Nov 27, 2009 3:09 am, edited 1 time in total.
http://twitter.com/mark_up.
Opinions expressed are mine alone and don't necessarily represent the views of any organisation I am associated with.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 13704
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Vulnerability List last 3 months from NVD - US Gov.

Postby mandville » Fri Nov 27, 2009 2:56 am

apart from the other matter, (edit as needed) was everything else ok and a little clearer for everyone?
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}


Return to “Security in Joomla! 1.5”

Who is online

Users browsing this forum: No registered users and 6 guests