Joomla! 'com_docman' Component Multiple SQL Injection Vulner
Moderator: General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
- fw116
- Joomla! Ace
- Posts: 1373
- Joined: Tue Sep 06, 2005 11:18 am
- Location: Germany
Joomla! 'com_docman' Component Multiple SQL Injection Vulner
Bugtraq ID: 47857
Class: Input Validation Error
CVE:
Remote: Yes
Local: No
Published: May 16 2011 12:00AM
Updated: May 16 2011 12:00AM
Credit: KedAns-Dz
Vulnerable: Joomla com_docman 0
Class: Input Validation Error
CVE:
Remote: Yes
Local: No
Published: May 16 2011 12:00AM
Updated: May 16 2011 12:00AM
Credit: KedAns-Dz
Vulnerable: Joomla com_docman 0
- mandville
- Joomla! Master
- Posts: 15149
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Joomla! 'com_docman' Component Multiple SQL Injection Vu
is that a docman bug ID?
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
- brian
- Joomla! Master
- Posts: 12781
- Joined: Fri Aug 12, 2005 7:19 am
- Location: Leeds, UK
- Contact:
Re: Joomla! 'com_docman' Component Multiple SQL Injection Vu
No its a securityfocus.com bugtraq id to a report of an alledged vuln with no version number. As docman is not yet available for 1.6 its in the wrong forum
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
- mandville
- Joomla! Master
- Posts: 15149
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Joomla! 'com_docman' Component Multiple SQL Injection Vu
item unpublished from jed, dev contacted, listed on vel
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
- brian
- Joomla! Master
- Posts: 12781
- Joined: Fri Aug 12, 2005 7:19 am
- Location: Leeds, UK
- Contact:
Re: Joomla! 'com_docman' Component Multiple SQL Injection Vu
is that the correct thing to do. it's a report in an unnamed version
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
- mandville
- Joomla! Master
- Posts: 15149
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Joomla! 'com_docman' Component Multiple SQL Injection Vu
That is the standard procedure as decided by both JED and VEL teams.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
- Jinx
- Joomla! Champion
- Posts: 6508
- Joined: Fri Aug 12, 2005 12:47 am
- Contact:
Re: Joomla! 'com_docman' Component Multiple SQL Injection Vu
The reported security issue on SecurityFocus relates to a security exploit in an older version of DOCman (1.3). It's an issue that was fixed for DOCman 1.4 and 1.5
Exploit
The actual exploit was published on PacketStorm security. This is the link to the post : http://packetstormsecurity.org/files/10 ... ction.html
The demo URL for the exploit goes to : http://www.voicilepoux.org. This site is running Mambo and not Joomla. See : http://www.voicilepoux.org/administrator/
The version of DOCman installed on this site is : 1.3.0 and dates back to September 2005. See : http://www.voicilepoux.org/administrato ... ngelog.txt
Solution
User who are still using DOCman 1.3 should immediatly upgrade to the latest 1.4.2 or 1.5.10 version.
Based on this information can I please ask to re-publish our DOCman listing as soon as possible and remove the information about the exploit from the wiki.
Exploit
The actual exploit was published on PacketStorm security. This is the link to the post : http://packetstormsecurity.org/files/10 ... ction.html
The demo URL for the exploit goes to : http://www.voicilepoux.org. This site is running Mambo and not Joomla. See : http://www.voicilepoux.org/administrator/
The version of DOCman installed on this site is : 1.3.0 and dates back to September 2005. See : http://www.voicilepoux.org/administrato ... ngelog.txt
Solution
User who are still using DOCman 1.3 should immediatly upgrade to the latest 1.4.2 or 1.5.10 version.
Based on this information can I please ask to re-publish our DOCman listing as soon as possible and remove the information about the exploit from the wiki.
Johan Janssens - Joomla Co-Founder, Lead Developer of Joomla 1.5
http://www.joomlatools.com - Joomla extensions that just work
http://www.joomlatools.com - Joomla extensions that just work
- mandville
- Joomla! Master
- Posts: 15149
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Joomla! 'com_docman' Component Multiple SQL Injection Vu
Thanks for the quick response, email sent , Topic closed
Thanks to Fw116 for the report
Thanks to Fw116 for the report
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}