PCI Compliance issue in component/mailto

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
magmata
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Wed Mar 19, 2008 9:39 am

PCI Compliance issue in component/mailto

Post by magmata » Sat Jan 29, 2011 1:45 am

Hi I'm trying to resolve this issue for our PCI compliance scan. Any idea where to start? Security Metrics is reporting a high-risk issue with this description. Is this a Joomla security issue?

Thanks

Description: SQL injection vulnerability in tmpl parameter to /component/mailto/ Severity: Critical Problem Impact: A remote attacker could execute SQL commands on the back-end database, possibly leading to password retrieval, authentication bypass, unauthorized data access, or unauthorized data modification. Background: Structured Query Language (SQL) is the most common language understood by modern relational databases. It is made up of queries. A typical query reads: SELECT * FROM table WHERE condition where table is a table belonging to a relational database, and condition is a logic condition which is either true or false for each row of the table. The query would return any or all rows for which the condition is true. Resolution All user-supplied parameters should be checked for illegal characters, such as a single quote ('), before being used in an SQL query

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 17352
Joined: Thu Feb 15, 2007 5:48 am
Location: Sydney, Australia

Re: PCI Compliance issue in component/mailto

Post by toivo » Sat Jan 29, 2011 3:51 am

Which particular version of Joomla 1.5 are you running?

There was a vulnerability in the com_mailto component, published on 8 April 2008. Joomla 1.5.3 was released on 24 April 2008, and com_mailto was part of the patch package. One can assume that the problem was fixed.

Another vulnerability in com_mailto was published on 1 May 2009, supposedly affecting all Joomla versions up to and including 1.5.10. However, that report was 'retired' short time after:
Further information from the vendor indicates that the application is not vulnerable.
The existence of com_mailto in your system does not necessarily make it vulnerable. Security Metrics should be able to give you the information which particular vulnerability their report refers to, e.g. CVE-2009-1499.
Toivo Talikka, Global Moderator

magmata
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Wed Mar 19, 2008 9:39 am

Re: PCI Compliance issue in component/mailto

Post by magmata » Sat Jan 29, 2011 4:43 am

Hi it is 1.5.22 if that helps.

Thx

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: PCI Compliance issue in component/mailto

Post by mandville » Sat Jan 29, 2011 5:19 am

please search the forums for both securitymetric and pci.
this may help a lot on your issue
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

magmata
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Wed Mar 19, 2008 9:39 am

Re: PCI Compliance issue in component/mailto

Post by magmata » Sat Jan 29, 2011 6:11 pm

I always run search strings before posting any question. There is nothing about this issue and PCI. Any ideas why this core component is failing security check?

Thx

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: PCI Compliance issue in component/mailto

Post by mandville » Sat Jan 29, 2011 7:12 pm

you can run a pci check several times and it will give different answers,
as in this case, how come you have got a mailto failure, when others dont, etc.

have a look at this post http://www.howtojoomla.net/how-tos/secu ... ce-article
http://forum.joomla.org/viewtopic.php?f=432&t=475221
http://forum.joomla.org/viewtopic.php?f=432&t=438515 may also help.

take toivos advice
Security Metrics should be able to give you the information which particular vulnerability their report refers to, e.g. CVE-2009-149
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

magmata
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Wed Mar 19, 2008 9:39 am

Re: PCI Compliance issue in component/mailto

Post by magmata » Sat Jan 29, 2011 10:59 pm

Hi thanks for the links, although none of those articles deal with this issue directly. I appreciate you trying to help. The vulnerability listed above, CVE-2009-149 was patched, and resolved right?

If that's the case, and I am running the latest build then why would my site be flagged specifically for this issue?

In this case, I got the flag the first time I ran the scan, then upgraded Joomla build, then ran the scan again, but the issue remains. Is it possible that this component (previously affected by the vulnerability) was not patched over by the latest Joomla build?

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 17352
Joined: Thu Feb 15, 2007 5:48 am
Location: Sydney, Australia

Re: PCI Compliance issue in component/mailto

Post by toivo » Sat Jan 29, 2011 11:28 pm

The vulnerability listed above, CVE-2009-149 was patched, and resolved right?
According to http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-1499, the vulnerability has 'candidate' status, meaning that it:
... must be reviewed and accepted by the CVE Editorial Board before it can be updated to official "Entry" status on the CVE List. It may be modified or even rejected in the future.
According to SecurityFocus, the report is 'retired'.
Toivo Talikka, Global Moderator

magmata
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Wed Mar 19, 2008 9:39 am

Re: PCI Compliance issue in component/mailto

Post by magmata » Sun Jan 30, 2011 4:49 am

FYI, on a whim, I replaced com_mailto on our server with the latest build from 1.6, and PCI scan passed. It could be possible that the version we had did not get properly patched from 1.5.12 previously. Although I thought this issue predates that build. So, weird. Regardless, we have a passing grade now. Thanks for all user input, much appreciated.

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 17352
Joined: Thu Feb 15, 2007 5:48 am
Location: Sydney, Australia

Re: PCI Compliance issue in component/mailto

Post by toivo » Sun Jan 30, 2011 7:03 am

Good to hear that, as long as you do not expect com_mailto from 1.6 to work with 1.5.22 ;)
Toivo Talikka, Global Moderator

OrphicWorkshop
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Tue Jul 27, 2010 8:54 pm

Re: PCI Compliance issue in component/mailto

Post by OrphicWorkshop » Mon Mar 28, 2011 10:26 pm

We had an identical issue with one of our clients, and disabling the "mailto" module in Joomla fixed the issue. (We weren't actually using the Mailto anyway.)

This was with Joomla 1.5.22. Given that the other vulnerability that the PCI compliance scanner found was a false positive, I'm not certain that it was actually a problem.


Locked

Return to “Security in Joomla! 1.5”