Joomla JIM Component File Inclusion Vulnerability

For all Non-Joomla! security issues. ie 3pd Components etc.

Moderator: General Support Moderators

Forum rules
Locked
User avatar
smart
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 109
Joined: Thu Aug 18, 2005 1:33 pm
Location: Sebastopol
Contact:

Joomla JIM Component File Inclusion Vulnerability

Post by smart » Fri Aug 18, 2006 10:40 am

Secunia Advisory: SA21545 Print Advisory 
Release Date: 2006-08-18

Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched

Software: JIM 1.x (component for Joomla)

Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

Description:
XORON has discovered a vulnerability in the JIM component for Joomla, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "mosConfig_absolute_path" parameter in components/com_jim/install.jim.php is not properly verified, before it is used to include files. This can be exploited to include arbitrary files from external and local resources.

Successful exploitation requires that "register_globals" is enabled.

The vulnerability has been confirmed in version 1.0.1. Other versions may also be affected.

Solution:
Edit the source code to ensure that the input is properly verified.

Set "register_globals" to "Off".

Read more: http://secunia.com/advisories/21545/
Joomlaportal.ru News, articles and tutorials
Joomlaforum.ru Russian Joomla Support Forum
Member of the Russian Joomla Translation Team

User avatar
globule
Joomla! Guru
Joomla! Guru
Posts: 551
Joined: Tue Aug 30, 2005 9:11 pm
Location: Aix-En-Provence, France
Contact:

Re : Joomla JIM Component File Inclusion Vulnerability

Post by globule » Fri Aug 18, 2006 11:31 am

URGENT You can make JIM secured (for this point) by removing line 16 in install.jim.php:

Code: Select all

require_once($mosConfig_absolute_path."/components/com_jim/readme.txt");
Any user who is victim of an attack using JIM will get free support on :
http://www.joomlation.eu (intl)
or
http://www.joomlation.org (fr)
Last edited by globule on Fri Aug 18, 2006 1:33 pm, edited 1 time in total.
May the forge be with you!
http://www.joomlation.eu (intl)
http://www.joomlation.org (fr)

User avatar
Tonie
Joomla! Master
Joomla! Master
Posts: 16553
Joined: Thu Aug 18, 2005 7:13 am

Re: Joomla JIM Component File Inclusion Vulnerability

Post by Tonie » Fri Aug 18, 2006 11:39 am

@globule. That was fast, good to read. Just sent you an email five minutes ago.

User avatar
globule
Joomla! Guru
Joomla! Guru
Posts: 551
Joined: Tue Aug 30, 2005 9:11 pm
Location: Aix-En-Provence, France
Contact:

Re : Joomla JIM Component File Inclusion Vulnerability

Post by globule » Fri Aug 18, 2006 12:01 pm

I subscribed to Secunia a few days ago! :P
I was cooking for my children when I've been informed >:(

Thanks for the information anyway! ;)

All "Come on... Joomla!" members informed using the newsletter. As this site will soon close, my efforts (Jim included) goes to Joomlation.

Here is the patched file for users. Use FTP to update /administrator/components/com_jim/install.jim.php
You don't need to remove JIM. If you do so, you will loose ALL messages
(This is already corrected for next version)

The patch is also available on Joomlation.eu
You do not have the required permissions to view the files attached to this post.
Last edited by globule on Fri Aug 18, 2006 1:52 pm, edited 1 time in total.
May the forge be with you!
http://www.joomlation.eu (intl)
http://www.joomlation.org (fr)

joomlaturk
Joomla! Explorer
Joomla! Explorer
Posts: 469
Joined: Thu Aug 18, 2005 10:40 pm
Location: las vegas USA
Contact:

Re: Joomla JIM Component File Inclusion Vulnerability

Post by joomlaturk » Fri Aug 18, 2006 12:18 pm

http://www.joomlation.eu/

Forbidden
You don't have permission to access / on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
joomla 1.6 Türk destek sitesi http://www.joomlaturk.net/

User avatar
globule
Joomla! Guru
Joomla! Guru
Posts: 551
Joined: Tue Aug 30, 2005 9:11 pm
Location: Aix-En-Provence, France
Contact:

Re : Joomla JIM Component File Inclusion Vulnerability

Post by globule » Fri Aug 18, 2006 12:24 pm

It works for me!
Where are you from?
May the forge be with you!
http://www.joomlation.eu (intl)
http://www.joomlation.org (fr)

shutchi2
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Thu Jan 12, 2006 12:45 am
Location: Westland, MI
Contact:

Re: Joomla JIM Component File Inclusion Vulnerability

Post by shutchi2 » Fri Aug 18, 2006 12:41 pm

Well, I had people from 14 different countries do a google search on inurl:com_jim and they tagged me good.  My site is completely down for now.

Luckily for me I was at the top of the google search (mixed blessing).  :(

Scott
http://www.shutchi2.com

joomlaturk
Joomla! Explorer
Joomla! Explorer
Posts: 469
Joined: Thu Aug 18, 2005 10:40 pm
Location: las vegas USA
Contact:

Re: Re : Joomla JIM Component File Inclusion Vulnerability

Post by joomlaturk » Fri Aug 18, 2006 12:57 pm

globule wrote: It works for me!
Where are you from?
of course it works for you !!

I am from İstanbul Turkey.
most likely you banned all the Turkish IPs.

I am fed up arguing about this subject.... I'd gave up !!!

you guys do whatever makes you happy... I have respect to your decision.

I can connect to http://www.joomlation.org/ but my french sucks !

EDİT
thanks for removing IP ban globule..
I'd appreciated your decision.
Last edited by Anonymous on Fri Aug 18, 2006 1:26 pm, edited 1 time in total.
joomla 1.6 Türk destek sitesi http://www.joomlaturk.net/

User avatar
globule
Joomla! Guru
Joomla! Guru
Posts: 551
Joined: Tue Aug 30, 2005 9:11 pm
Location: Aix-En-Provence, France
Contact:

Re : Joomla JIM Component File Inclusion Vulnerability

Post by globule » Fri Aug 18, 2006 1:05 pm

Now JIM has been attacked, the whole site can be considered has tested and safe (I hope...)
So this filter will soon be removed. I'm sorry I had to take such a decision...
May the forge be with you!
http://www.joomlation.eu (intl)
http://www.joomlation.org (fr)

User avatar
globule
Joomla! Guru
Joomla! Guru
Posts: 551
Joined: Tue Aug 30, 2005 9:11 pm
Location: Aix-En-Provence, France
Contact:

Re : Re: Joomla JIM Component File Inclusion Vulnerability

Post by globule » Fri Aug 18, 2006 1:12 pm

shutchi2 wrote: Well, I had people from 14 different countries do a google search on inurl:com_jim and they tagged me good.  My site is completely down for now.

Luckily for me I was at the top of the google search (mixed blessing).  :(

Scott
http://www.shutchi2.com
Is it down because you've been hacked?
May the forge be with you!
http://www.joomlation.eu (intl)
http://www.joomlation.org (fr)

shutchi2
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Thu Jan 12, 2006 12:45 am
Location: Westland, MI
Contact:

Re: Joomla JIM Component File Inclusion Vulnerability

Post by shutchi2 » Fri Aug 18, 2006 1:16 pm

It appears that way, but I'm going through logs right now to figure out what happened.  I'm on the console and the server is working but it looks like some files were modified.  Keeping it offline until I figure out what got changed.

User avatar
globule
Joomla! Guru
Joomla! Guru
Posts: 551
Joined: Tue Aug 30, 2005 9:11 pm
Location: Aix-En-Provence, France
Contact:

Re : Joomla JIM Component File Inclusion Vulnerability

Post by globule » Fri Aug 18, 2006 1:26 pm

You can get the list of all your files sorted by last modification date on joomlation.eu : filist.php
Once you get this list, remove this script...
May the forge be with you!
http://www.joomlation.eu (intl)
http://www.joomlation.org (fr)

User avatar
globule
Joomla! Guru
Joomla! Guru
Posts: 551
Joined: Tue Aug 30, 2005 9:11 pm
Location: Aix-En-Provence, France
Contact:

Re : Re: Joomla JIM Component File Inclusion Vulnerability

Post by globule » Fri Aug 18, 2006 1:41 pm

shutchi2 wrote: Well, I had people from 14 different countries do a google search on inurl:com_jim and they tagged me good.
Thanks to remind me this function!
I contacted all sites listed (2 pages) except one having no information about how to do so : http://www.infopyme.com.py

I also noticed many of the versions used on these sites are not up to date... This will be token in consideration for next version.

This forum url has been sent to Secunia as source for the patch.

Thanks a lot to joomla.org and its community to keep users informed so fast.
May the forge be with you!
http://www.joomlation.eu (intl)
http://www.joomlation.org (fr)

joomlaturk
Joomla! Explorer
Joomla! Explorer
Posts: 469
Joined: Thu Aug 18, 2005 10:40 pm
Location: las vegas USA
Contact:

Re: Re : Joomla JIM Component File Inclusion Vulnerability

Post by joomlaturk » Fri Aug 18, 2006 1:42 pm

globule wrote: You can get the list of all your files sorted by last modification date on joomlation.eu : filist.php
Once you get this list, remove this script...
I urge every joomla user to utilize filist.php tool.

it takes 2 seconds to find hacker scripts in your server with this method.
anybody that uploaded shell scripts will show at the top of the list.
simple just remove them ( DO NOT DOWNLOAD )
your anti virus program will give virus alert if you try to download.
joomla 1.6 Türk destek sitesi http://www.joomlaturk.net/

shutchi2
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Thu Jan 12, 2006 12:45 am
Location: Westland, MI
Contact:

Re: Joomla JIM Component File Inclusion Vulnerability

Post by shutchi2 » Fri Aug 18, 2006 1:43 pm

Found a php.haxplore file that was recently added, looking for info on it...anyone familiar with this?  ???

shutchi2
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Thu Jan 12, 2006 12:45 am
Location: Westland, MI
Contact:

Re: Joomla JIM Component File Inclusion Vulnerability

Post by shutchi2 » Fri Aug 18, 2006 2:22 pm

Well I'm back up and patched, my AV went nuts with the php.haxplore file so I deleted it.  Thanks for your help everyone, and that filist.php script works great!

Scott

User avatar
globule
Joomla! Guru
Joomla! Guru
Posts: 551
Joined: Tue Aug 30, 2005 9:11 pm
Location: Aix-En-Provence, France
Contact:

Re : Joomla JIM Component File Inclusion Vulnerability

Post by globule » Fri Aug 18, 2006 2:27 pm

Don't forget to remove it!

Was Jim used to upload the file? What the logs told you?
May the forge be with you!
http://www.joomlation.eu (intl)
http://www.joomlation.org (fr)

shutchi2
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Thu Jan 12, 2006 12:45 am
Location: Westland, MI
Contact:

Re: Joomla JIM Component File Inclusion Vulnerability

Post by shutchi2 » Fri Aug 18, 2006 2:34 pm

The logs didn't tell me what they used to upload it, just where it came from (proxy).  Sometimes win32 servers leave something to be desired...

tschier
Joomla! Intern
Joomla! Intern
Posts: 73
Joined: Thu Sep 08, 2005 6:37 am

Re: Re : Joomla JIM Component File Inclusion Vulnerability

Post by tschier » Thu Mar 29, 2007 1:26 am

joomlaturk wrote:
globule wrote: You can get the list of all your files sorted by last modification date on joomlation.eu : filist.php
Once you get this list, remove this script...
I urge every joomla user to utilize filist.php tool.

it takes 2 seconds to find hacker scripts in your server with this method.
anybody that uploaded shell scripts will show at the top of the list.
simple just remove them ( DO NOT DOWNLOAD )
your anti virus program will give virus alert if you try to download.

But can you tell a novice exactly how you use the filist.php tool? Do you uploade it to your server - where???


trebso
Joomla! Apprentice
Joomla! Apprentice
Posts: 31
Joined: Fri Sep 02, 2005 12:17 pm

Re: Joomla JIM Component File Inclusion Vulnerability

Post by trebso » Thu Jan 22, 2009 3:34 pm

filist.php doesn't seem to be available from joomlation.eu

Any alternative tool or source?

User avatar
globule
Joomla! Guru
Joomla! Guru
Posts: 551
Joined: Tue Aug 30, 2005 9:11 pm
Location: Aix-En-Provence, France
Contact:

Re: Joomla JIM Component File Inclusion Vulnerability

Post by globule » Thu Jan 22, 2009 8:32 pm

trebso wrote:filist.php doesn't seem to be available from joomlation.eu

Any alternative tool or source?
Of course it is !
http://joomlation.eu/index.php?option=c ... &Itemid=35
May the forge be with you!
http://www.joomlation.eu (intl)
http://www.joomlation.org (fr)

trebso
Joomla! Apprentice
Joomla! Apprentice
Posts: 31
Joined: Fri Sep 02, 2005 12:17 pm

Re: Joomla JIM Component File Inclusion Vulnerability

Post by trebso » Thu Jan 22, 2009 8:51 pm

My mistake - I searched for filist.php not filist.

Thanks


Locked

Return to “3rd Party/Non Joomla! Security Issues”