Joomla! Discussion Forums

Remote file include exploit is in the wild.

more specifics?

I wish I could give more specifics, but as far as I am aware an official advisory has not yet been issued. I got my information from two blackhat sites, both giving scripts to use.  I can only share that information with the projects developers, sorry

TITLE:
Joomla Security Images Component File Inclusion

SECUNIA ADVISORY ID:
SA21260

VERIFY ADVISORY:
http://secunia.com/advisories/21260/

CRITICAL:
Highly critical

IMPACT:
System access

WHERE:
From remote

SOFTWARE:
Security Images 3.x (component for Joomla)
http://secunia.com/product/11186/

DESCRIPTION:
Drago84 has discovered some vulnerabilities in the Security Images
component for Joomla, which can be exploited by malicious people to
compromise a vulnerable system.

Input passed to the "mosConfig_absolute_path" parameter is not
properly verified before being used to include files. This can be
exploited to execute arbitrary PHP code by including files from local
or external resources.

Affected files:
administrator/components/com_securityimages/configinsert.php
administrator/components/com_securityimages/lang.php

Successful exploitation requires that "register_globals" is enabled.

The vulnerabilities have been confirmed in version 3.0.5. Other
version may also be affected.

SOLUTION:
Edit the source code to ensure that input is properly verified.

Set "register_globals" to "Off".

PROVIDED AND/OR DISCOVERED BY:
Drago84

ORIGINAL ADVISORY:
http://milw0rm.com/exploits/2083

----------------------------------------------------------------------

Thanks all for the info... added to the official list.

it seems to me that anyone who understands php could easily patch Security Images.

only 2 files are listed as liabilities....

and the fix suggested in this forum is to harden the call to by defining the absolute path:

unfortunately, i don't know php well enough to apply this.

anyone?

Version 3.06 has been brought out: http://forge.joomla.org/sf/projects/com_securityimages.

wish i could get the new one to work

Using 3.0.6 and the latest Akobook version, but it just refuses to work.

Only can get the freecap plugin to appear - the other two just dont do anything - and even though it appears to work, when u submit the guestbook entry - having put the secuity word in, it doesnt work.

I thought that I was being dumb and that I hadnt realised it was case sensitive - but either I'm blind, or it really doesnt want to know.

I did wonder whether the hardening of the latest joomla but i'm not sure.

If anyone wants to try and see, go to the guestbook at: http://www.threeminutewarning.co.uk

I really feel like never updating any component or Joomla itself again as something always goes wrong hehe

/rant

Cheers
Nath.

Nath - make sure you report this on the bug tracker on the forge's project pages.
Project devs do see these reports but may miss seeing forum posts.

Hi there

I've just posted a topic on their forum at http://forums.waltercedric.com/index.ph ... ,16.0.html

Can't seem to find the SF for the project hehe Maybe its me being dumb or something today lol

Cheers
Nath.

Hi Nath,

From Walter Cedric's wiki you are referred to http://developer.joomla.org/sf/sfmain/d ... rityimages.
So that's the place to go! 

ahhhhh thats the one

Thanks [and it looks like all my problems have been mentioned already - except integration into the SMF Bridge perhaps]

Cheers
Nath.

tell me more.