PCI Compliance issue in component/mailto
Moderator: General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
-
- Joomla! Apprentice
- Posts: 8
- Joined: Wed Mar 19, 2008 9:39 am
PCI Compliance issue in component/mailto
Hi I'm trying to resolve this issue for our PCI compliance scan. Any idea where to start? Security Metrics is reporting a high-risk issue with this description. Is this a Joomla security issue?
Thanks
Description: SQL injection vulnerability in tmpl parameter to /component/mailto/ Severity: Critical Problem Impact: A remote attacker could execute SQL commands on the back-end database, possibly leading to password retrieval, authentication bypass, unauthorized data access, or unauthorized data modification. Background: Structured Query Language (SQL) is the most common language understood by modern relational databases. It is made up of queries. A typical query reads: SELECT * FROM table WHERE condition where table is a table belonging to a relational database, and condition is a logic condition which is either true or false for each row of the table. The query would return any or all rows for which the condition is true. Resolution All user-supplied parameters should be checked for illegal characters, such as a single quote ('), before being used in an SQL query
Thanks
Description: SQL injection vulnerability in tmpl parameter to /component/mailto/ Severity: Critical Problem Impact: A remote attacker could execute SQL commands on the back-end database, possibly leading to password retrieval, authentication bypass, unauthorized data access, or unauthorized data modification. Background: Structured Query Language (SQL) is the most common language understood by modern relational databases. It is made up of queries. A typical query reads: SELECT * FROM table WHERE condition where table is a table belonging to a relational database, and condition is a logic condition which is either true or false for each row of the table. The query would return any or all rows for which the condition is true. Resolution All user-supplied parameters should be checked for illegal characters, such as a single quote ('), before being used in an SQL query
- toivo
- Joomla! Master
- Posts: 17352
- Joined: Thu Feb 15, 2007 5:48 am
- Location: Sydney, Australia
Re: PCI Compliance issue in component/mailto
Which particular version of Joomla 1.5 are you running?
There was a vulnerability in the com_mailto component, published on 8 April 2008. Joomla 1.5.3 was released on 24 April 2008, and com_mailto was part of the patch package. One can assume that the problem was fixed.
Another vulnerability in com_mailto was published on 1 May 2009, supposedly affecting all Joomla versions up to and including 1.5.10. However, that report was 'retired' short time after:
There was a vulnerability in the com_mailto component, published on 8 April 2008. Joomla 1.5.3 was released on 24 April 2008, and com_mailto was part of the patch package. One can assume that the problem was fixed.
Another vulnerability in com_mailto was published on 1 May 2009, supposedly affecting all Joomla versions up to and including 1.5.10. However, that report was 'retired' short time after:
The existence of com_mailto in your system does not necessarily make it vulnerable. Security Metrics should be able to give you the information which particular vulnerability their report refers to, e.g. CVE-2009-1499.Further information from the vendor indicates that the application is not vulnerable.
Toivo Talikka, Global Moderator
-
- Joomla! Apprentice
- Posts: 8
- Joined: Wed Mar 19, 2008 9:39 am
Re: PCI Compliance issue in component/mailto
Hi it is 1.5.22 if that helps.
Thx
Thx
- mandville
- Joomla! Master
- Posts: 15150
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: PCI Compliance issue in component/mailto
please search the forums for both securitymetric and pci.
this may help a lot on your issue
this may help a lot on your issue
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
-
- Joomla! Apprentice
- Posts: 8
- Joined: Wed Mar 19, 2008 9:39 am
Re: PCI Compliance issue in component/mailto
I always run search strings before posting any question. There is nothing about this issue and PCI. Any ideas why this core component is failing security check?
Thx
Thx
- mandville
- Joomla! Master
- Posts: 15150
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: PCI Compliance issue in component/mailto
you can run a pci check several times and it will give different answers,
as in this case, how come you have got a mailto failure, when others dont, etc.
have a look at this post http://www.howtojoomla.net/how-tos/secu ... ce-article
http://forum.joomla.org/viewtopic.php?f=432&t=475221
http://forum.joomla.org/viewtopic.php?f=432&t=438515 may also help.
take toivos advice
as in this case, how come you have got a mailto failure, when others dont, etc.
have a look at this post http://www.howtojoomla.net/how-tos/secu ... ce-article
http://forum.joomla.org/viewtopic.php?f=432&t=475221
http://forum.joomla.org/viewtopic.php?f=432&t=438515 may also help.
take toivos advice
Security Metrics should be able to give you the information which particular vulnerability their report refers to, e.g. CVE-2009-149
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
-
- Joomla! Apprentice
- Posts: 8
- Joined: Wed Mar 19, 2008 9:39 am
Re: PCI Compliance issue in component/mailto
Hi thanks for the links, although none of those articles deal with this issue directly. I appreciate you trying to help. The vulnerability listed above, CVE-2009-149 was patched, and resolved right?
If that's the case, and I am running the latest build then why would my site be flagged specifically for this issue?
In this case, I got the flag the first time I ran the scan, then upgraded Joomla build, then ran the scan again, but the issue remains. Is it possible that this component (previously affected by the vulnerability) was not patched over by the latest Joomla build?
If that's the case, and I am running the latest build then why would my site be flagged specifically for this issue?
In this case, I got the flag the first time I ran the scan, then upgraded Joomla build, then ran the scan again, but the issue remains. Is it possible that this component (previously affected by the vulnerability) was not patched over by the latest Joomla build?
- toivo
- Joomla! Master
- Posts: 17352
- Joined: Thu Feb 15, 2007 5:48 am
- Location: Sydney, Australia
Re: PCI Compliance issue in component/mailto
According to http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-1499, the vulnerability has 'candidate' status, meaning that it:The vulnerability listed above, CVE-2009-149 was patched, and resolved right?
According to SecurityFocus, the report is 'retired'.... must be reviewed and accepted by the CVE Editorial Board before it can be updated to official "Entry" status on the CVE List. It may be modified or even rejected in the future.
Toivo Talikka, Global Moderator
-
- Joomla! Apprentice
- Posts: 8
- Joined: Wed Mar 19, 2008 9:39 am
Re: PCI Compliance issue in component/mailto
FYI, on a whim, I replaced com_mailto on our server with the latest build from 1.6, and PCI scan passed. It could be possible that the version we had did not get properly patched from 1.5.12 previously. Although I thought this issue predates that build. So, weird. Regardless, we have a passing grade now. Thanks for all user input, much appreciated.
- toivo
- Joomla! Master
- Posts: 17352
- Joined: Thu Feb 15, 2007 5:48 am
- Location: Sydney, Australia
Re: PCI Compliance issue in component/mailto
Good to hear that, as long as you do not expect com_mailto from 1.6 to work with 1.5.22
Toivo Talikka, Global Moderator
-
- Joomla! Fledgling
- Posts: 2
- Joined: Tue Jul 27, 2010 8:54 pm
Re: PCI Compliance issue in component/mailto
We had an identical issue with one of our clients, and disabling the "mailto" module in Joomla fixed the issue. (We weren't actually using the Mailto anyway.)
This was with Joomla 1.5.22. Given that the other vulnerability that the PCI compliance scanner found was a false positive, I'm not certain that it was actually a problem.
This was with Joomla 1.5.22. Given that the other vulnerability that the PCI compliance scanner found was a false positive, I'm not certain that it was actually a problem.