Attention: Official List of Vulnerable 3rd Party Add-ons!!!

For all Non-Joomla! security issues. ie 3pd Components etc.

Moderator: General Support Moderators

Forum rules
User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1366
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Post by RobS » Sun Jul 23, 2006 10:11 pm

[MOD: All information on vulnerable 3rd party extensions has been moved to the Joomla! Wiki]
http://docs.joomla.org/Vulnerable_Extensions_List
Last edited by rliskey on Fri Jul 06, 2007 5:03 pm, edited 1 time in total.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1366
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Post by RobS » Sat Jul 29, 2006 7:06 pm

Updated.  Added A6MamboHelpDesk to the list of vulnerable components and also updated the information for LoudMouth as it has reportedly been fixed now.

Last updated July 29, 2006 @ 12:06 PM PDT.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1366
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Post by RobS » Tue Aug 01, 2006 6:40 am

Updated again.  Added 7 components to the naughty list.

PC Cook Book
User Home Pages 1 and 2
Mambo Gallery Manager
JD-WordPress
Colophon
LMO
Bayesian Naive Filter

That brings this list to 34 components.
Last updated on July 31, 2006 @ 11:34 PM PDT.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1366
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Post by RobS » Thu Aug 10, 2006 8:46 am

Updated Again...

Added
JD-Wiki
Community Builder (com_profiler)  ((Thank you JM!))
Updated status for LMO
Updated link for SMF Bridge (for SMF 1.1RC2 only)

Last updated on August 10th, 2006 at 1:45 AM PDT (GMT-7)
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1366
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Post by RobS » Thu Aug 10, 2006 9:15 am

I forgot some...

Added:
Classifieds
Events
Hot Properties

Last updated on August 10th, 2006 at 2:15 AM PDT (GMT-7)
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1366
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Post by RobS » Thu Aug 10, 2006 7:07 pm

Added Blogg-X Mambot. - Removed Blogg-X.  It does not appear to be vulnerable upon further investigation.
Updated information about Security Images.

That brings the number of insecure 3rd party extensions up to 40 extensions.

Last updated on August 12th, 2006 at 11:16 AM PDT (GMT-7)
Last edited by RobS on Sat Aug 12, 2006 6:17 pm, edited 1 time in total.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1366
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Post by RobS » Sat Aug 12, 2006 6:18 pm

Removed Blogg-X.  Upon further investigation Blogg-X does not appear to be vulnerable.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 19133
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Post by infograf768 » Tue Aug 15, 2006 5:59 am

Temporarily added the abandonned Webring component until updated by Robs.
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

user deleted

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Post by user deleted » Tue Aug 15, 2006 6:58 pm

Update has come in about Mosets Hot Property, there 0.98 release should fix the security issues. Still need to verify before we change the current listing.

Regards Robin

user deleted

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Post by user deleted » Wed Aug 16, 2006 7:16 am

I have received a reply from the developer of Mosets Tree and Hot Property. Mosets Tree 1.5.9 and Hot Property 0.98 are now solving the security issues. The list will be changed accordingly.

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 19133
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Post by infograf768 » Fri Aug 18, 2006 4:22 am

See here for hacks concerning Joomlaboard 1.1.2 and CB 1.0.1 to make them compatible with register globals off as set in globals.php

http://forum.joomla.org/index.php/topic,86525.0.html

(please integrate in your list, Robs)
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

user deleted

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Post by user deleted » Fri Aug 18, 2006 6:33 am

Thanks JM, added as a note/reference to the listing.

user deleted

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Post by user deleted » Fri Aug 18, 2006 11:23 am


user deleted

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Post by user deleted » Fri Aug 18, 2006 11:34 am

Added Mambelfish 1.x due to report ; http://secunia.com/advisories/21544/

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 19133
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Post by infograf768 » Wed Aug 23, 2006 7:11 am

JCE vulnerability. Patch available.
http://www.cellardoor.za.net/index.php? ... mla.org%29
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 19133
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Post by infograf768 » Sat Aug 26, 2006 8:32 am

I am informed a JCE 1.1 release is soon to get out. All potential holes will be plugged.
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 19133
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Post by infograf768 » Sun Aug 27, 2006 8:38 am

SEF404x has been found vulnerable.
No crack known yet.
Developer contacted.
Extension taken off from JED until fixed.
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1366
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Post by RobS » Fri Sep 01, 2006 10:10 am

Updated again...

Added BigApe Backup
Added SEF404x
Updated Colophon
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 19133
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Post by infograf768 » Tue Sep 05, 2006 4:54 am

Remository v3.25 vulnerable.
Update to 3.26

See http://forum.joomla.org/index.php/topic ... #msg461272
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

User avatar
Tonie
Joomla! Master
Joomla! Master
Posts: 16553
Joined: Thu Aug 18, 2005 7:13 am

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Post by Tonie » Thu Sep 28, 2006 8:04 am

Added Facile Forms 1.46g and older, upgrade available.

User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Post by rliskey » Thu Oct 05, 2006 7:32 am

The Official List of Vulnerable 3rd Party/Non Joomla! Extensions is the new home for information on vulnerable 3rd party extensions. It contains a table style overview of all known vulnerable extensions with links to detailed information on each one.
http://forum.joomla.org/index.php/board,346.0.html

This thread will remain for announcements and discussions related to vulnerable 3rd party extension security issues.
Last edited by rliskey on Thu Oct 05, 2006 7:40 am, edited 1 time in total.

User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Post by rliskey » Sat Oct 21, 2006 1:45 am

The Big Ape entry was updated with a link to a patch that was released by the developer.

User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Post by rliskey » Sat Oct 21, 2006 1:49 am

Joomlaboard entry has been updated to advise upgrade to version 1.1.3
http://forum.joomla.org/index.php/topic ... #msg501968

User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Post by rliskey » Sun Oct 22, 2006 4:45 am

BSQ Site Stats entry updated due to SQL injection vulnerability.
http://forum.joomla.org/index.php/topic,100146

User avatar
Tonie
Joomla! Master
Joomla! Master
Posts: 16553
Joined: Thu Aug 18, 2005 7:13 am

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Post by Tonie » Mon Nov 13, 2006 7:49 pm

Security issue with JCE 1.0.4, please read here

User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Post by rliskey » Sat Jan 06, 2007 6:09 am

Added a link to the Adobe Reader XSS vulnerability report. This is not a Joomla! or third party issue, but because so many sites use PDF files, I think it's worth noting.

http://forum.joomla.org/index.php/topic ... #msg506694

User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Post by rliskey » Tue Mar 13, 2007 6:11 pm

VirtueMart vulnerability reported by the vendor. For all versions below 1.0.10.
Patch available; upgrade immediately.
http://forum.joomla.org/index.php/topic,150053

User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Post by rliskey » Sun Mar 18, 2007 9:56 pm

Seems there's a vulnerable, abandoned project floating around called "Link Directory" that some people are finding and installing.

Name: Link Directory
Short Name: com_linkdirectory
Versions: All (abandoned project)
Reference: http://forum.joomla.org/index.php?topic=149131.new#new
Last edited by rliskey on Sun Mar 18, 2007 9:58 pm, edited 1 time in total.

User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Post by rliskey » Sun May 13, 2007 8:56 pm

The Official Vulnerable Extensions List is now hosted on the Help site, in the FAQs section.

The Security and Performance FAQs are an easy-to-navigate list of essential information gleaned from quality Security Forum posts.
Last edited by rliskey on Sun May 13, 2007 9:07 pm, edited 1 time in total.

User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Re: Attention: Official List of Vulnerable 3rd Party Add-ons!!!

Post by rliskey » Thu Jun 21, 2007 7:10 pm

The Vulnerable Extensions List is once again improved. All data is now available in one view.
http://help.joomla.org/component/option ... temid,268/


Locked

Return to “3rd Party/Non Joomla! Security Issues”