Change font size Change Width
Advanced Search
 

Joomla! Discussion Forums



It is currently Thu Nov 26, 2009 1:47 pm (All times are UTC )

 

Board index » Joomla! Older Version Support » Joomla! 1.0 » Security - 1.0.x

Forum rules

Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  Page 1 of 1
  [ 2 posts ] 
  Print view Previous topic | Next topic 
Author Message
winuser
Posted: Thu Aug 16, 2007 6:47 pm 
User avatar
Joomla! Intern
Joomla! Intern
Offline

Joined: Fri Aug 18, 2006 9:57 am
Posts: 96
Location: Asia / U.S.
Two Pro Edition users were notified by their service companies that a file in the J! Reactions commenting system was being used to send spam email (apparently French content). The problem has been traced specifically to the langset.php file (which is located in the administrator/components/com_jreactions folder. Build 1.9.0 will fix this problem, but the immediate action is to simply replace the langset.php file. Here it is:

Code:
<?php defined( '_VALID_MOS' ) or die( 'Direct access is prohibited.' );
global $mosConfig_lang;
if (file_exists("$comPath/custom/".$mosConfig_lang.".php")) {
   include("$comPath/custom/".$mosConfig_lang.".php");
} else {
   require("$comPath/custom/english.php");
} ?>


The security issue is caused by the fact that the old file does not check for VALID_MOS. I suggest that all J! Reactions' users (a) un-install the J! Reactions component in the normal manner, (b) double-check that ALL J! Reactions folders on the server are removed after the un-install, and (c) install build 1.9.0 when it is released in a few days. Any existing comment data will be safe in the data tables in the interim.

I apologize for any service interruptions resulting from this exploit.  :-[

_________________
Science • Education • Programming

Top
  E-mail  
 
rliskey
Posted: Thu Aug 16, 2007 10:44 pm 
User avatar
Joomla! Guru
Joomla! Guru
Offline

Joined: Tue Jun 06, 2006 7:41 am
Posts: 808
Location: Third planet from Sol
Thanks for reporting and for providing clear recovery directions.

Added to the Vulnerable Extensions list here:
http://help.joomla.org/component/option ... temid,268/

_________________
Web Home: http://www.ronliskey.com
Support http://support.educationgrove.com

Top
  E-mail  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 2 posts ] 

Quick reply

 


Board index » Joomla! Older Version Support » Joomla! 1.0 » Security - 1.0.x

Who is online

Users browsing this forum: acawley, mosscliffe and 20 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
 
 
 
 
 

© 2005-2009 Open Source Matters, Inc. All rights reserved. Joomla hosting by Rochen Ltd.