The Joomla! Forum ™





Post new topic Reply to topic  [ 21 posts ] 
Author Message
PostPosted: Sat Jul 29, 2006 1:50 am 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Wed Aug 17, 2005 11:26 pm
Posts: 903
Remote file inclusion vulnerability.
JD-WordPress for Joomla is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker can exploit these issues to include arbitrary remote files containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and to gain access to the underlying system.

Version 2.0-1.0 RC2 is vulnerable to these issues; prior versions may also be affected.
The developer has been notified.

_________________
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info


Last edited by RobS on Thu Aug 10, 2006 8:15 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Sat Jul 29, 2006 9:38 am 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Wed Aug 17, 2005 10:12 pm
Posts: 1827
Location: Germany-Bad Abbach
Thanks Elpie and as i told i have probs to reproduce this, maybe RobS can check this, and if why i have probs to reproduce this, thanks in Advance.

_________________
The "Humor, Fun and Games" forum has  more than 2500 Posts, so why not build a "Humor, Fun and Games Working" Group?
.....
Malicious tongues say we have this WG right from the start, they call it core team :D


Top
 Profile  
 
PostPosted: Mon Jul 31, 2006 4:05 am 
Joomla! Intern
Joomla! Intern

Joined: Mon Sep 19, 2005 5:28 pm
Posts: 93
Has there been any headway made with uncovering this vulnerability? This has me greatly concerned!


Top
 Profile  
 
PostPosted: Mon Jul 31, 2006 4:51 am 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Wed Aug 17, 2005 11:26 pm
Posts: 903
The exploits that have been published both appear to rely on register_globals being on. If you have register_globals off and are not running globals emulation 1 (globals.php in Joomla) you should be fine.
While I personally wouldnt use htaccess to block attempts, RobS's htaccess will also block any attempts to exploit JD-Wordpress.

_________________
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info


Top
 Profile  
 
PostPosted: Mon Jul 31, 2006 8:32 am 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Mon Dec 05, 2005 10:17 am
Posts: 1367
Location: New Orleans, LA, USA
Joomla!'s RG emulation is probably safe as it does a fair job of sanitizing input but I haven't thouroughly tested it myself, just browed through it a bit.

_________________
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions


Top
 Profile  
 
PostPosted: Mon Jul 31, 2006 3:26 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Wed Aug 17, 2005 10:12 pm
Posts: 1827
Location: Germany-Bad Abbach
Well have tested now during the weekend local with RG on and allow_furl on together with Joomla! 1.0.10 also on a webhosting of a friend with Rg on and allow_furl on and joomla! 1.0.10 and could not reproduce this but to avoid any constellation which may allow this i have made a patch where i replaced the call

require_once( $mosConfig_absolute_path .'/components/com_jd-wp/wp-config.php' );

into

require(dirname(__FILE__) . '/wp-config.php');

to be sure.

If you normally have Rg off you should be save, as i was even with On not able to hack it with Joomla! 1.0.10


You do not have the required permissions to view the files attached to this post.

_________________
The "Humor, Fun and Games" forum has  more than 2500 Posts, so why not build a "Humor, Fun and Games Working" Group?
.....
Malicious tongues say we have this WG right from the start, they call it core team :D


Top
 Profile  
 
PostPosted: Tue Aug 01, 2006 6:59 am 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Mon Dec 05, 2005 10:17 am
Posts: 1367
Location: New Orleans, LA, USA
Also added to the list with a link to your patch.

_________________
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions


Top
 Profile  
 
PostPosted: Thu Aug 03, 2006 1:20 am 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Mon Aug 22, 2005 5:43 pm
Posts: 382
Marco

I must say, you have done a gr8 job with this component.

_________________
--Vish "Still Learning"


Top
 Profile  
 
PostPosted: Thu Aug 03, 2006 1:38 am 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Wed Aug 17, 2005 10:12 pm
Posts: 1827
Location: Germany-Bad Abbach
Vish wrote:
Marco

I must say, you have done a gr8 job with this component.


Thanks Vish  8)

will added the next day the use of the permalink with joomla so jd-wp will have than also long URLs :D the way the original WP has it. Is a customjob but i can release the code than to the comunity so everybody can use it ;)

_________________
The "Humor, Fun and Games" forum has  more than 2500 Posts, so why not build a "Humor, Fun and Games Working" Group?
.....
Malicious tongues say we have this WG right from the start, they call it core team :D


Top
 Profile  
 
PostPosted: Sat Aug 05, 2006 3:00 am 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Sat Aug 20, 2005 5:20 am
Posts: 51
Location: Ohio
RobS wrote:
Also added to the list with a link to your patch.


Hi RobS,

I ran across your notice that JD-WordPress was on the Security Risk list, but I don't see the link to the patch you mention here. Please point me to it.

Thanks,
Steve

_________________
Steve


Top
 Profile  
 
PostPosted: Sat Aug 05, 2006 6:55 am 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Wed Aug 17, 2005 10:12 pm
Posts: 1827
Location: Germany-Bad Abbach
cmyksteve wrote:
RobS wrote:
Also added to the list with a link to your patch.


Hi RobS,

I ran across your notice that JD-WordPress was on the Security Risk list, but I don't see the link to the patch you mention here. Please point me to it.

Thanks,
Steve


See the attachment in Reply #5 in this Thread ;)

_________________
The "Humor, Fun and Games" forum has  more than 2500 Posts, so why not build a "Humor, Fun and Games Working" Group?
.....
Malicious tongues say we have this WG right from the start, they call it core team :D


Top
 Profile  
 
PostPosted: Thu Aug 17, 2006 12:10 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Sun Sep 18, 2005 8:28 pm
Posts: 1824
Location: Scotland
I've just patched JD-WP and the commenting system failed to work afterwards. But soon i realised there was a typo error on line 64:

elseif ( !is_email($comment_author_email))

should have been:

elseif ( !is_wp_email($comment_author_email))

Nothing major and apart from that everything else went smoothly. Thanks for the security patch :)

P.S. i have attached the patch here to inlcude the line above and nothing else.


You do not have the required permissions to view the files attached to this post.

_________________
Custom website design | blog | tutorials | Photography | Downloads
Freelance Web Designer/Developer: www.duvien.com


Top
 Profile  
 
PostPosted: Thu Aug 17, 2006 12:16 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Wed Aug 17, 2005 10:12 pm
Posts: 1827
Location: Germany-Bad Abbach
Opps sorry my fault  :-[

Thanks duvien for correcting this ;)

_________________
The "Humor, Fun and Games" forum has  more than 2500 Posts, so why not build a "Humor, Fun and Games Working" Group?
.....
Malicious tongues say we have this WG right from the start, they call it core team :D


Top
 Profile  
 
PostPosted: Wed Oct 24, 2007 7:21 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Wed Oct 24, 2007 7:19 pm
Posts: 1
Hi, Where download the JD-Wordpress??


Last edited by Samleo on Wed Oct 24, 2007 7:36 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Thu Dec 20, 2007 4:42 pm 
I've been banned!

Joined: Wed Dec 19, 2007 10:36 pm
Posts: 21
what plugins are you using with the wordpress ap?

_________________
smile


Top
 Profile  
 
PostPosted: Thu Dec 20, 2007 5:19 pm 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Sat Aug 20, 2005 5:20 am
Posts: 51
Location: Ohio
JD-WordPress is no longer supported.
But a fork of this Joomla component called mojoBlog can be found on Joomlify.com

mojoBlog is still in beta, running under Joomla 1.0.13

_________________
Steve


Top
 Profile  
 
PostPosted: Mon Feb 25, 2008 12:01 am 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Fri Sep 02, 2005 8:45 pm
Posts: 103
Location: Peru - The Land for All Your Senses
Hello it seams that the joomlify.com site is down.
where else can I have this mojoblog component?
thanks
Javier


Top
 Profile  
 
PostPosted: Mon Feb 25, 2008 3:20 pm 
Joomla! Intern
Joomla! Intern

Joined: Sat Jun 02, 2007 2:48 am
Posts: 61
I am also among the number of people who can't access the joomlify site. Anyone know what went down? It was fine a few days ago.


Top
 Profile  
 
PostPosted: Mon Feb 25, 2008 4:37 pm 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Sat Aug 20, 2005 5:20 am
Posts: 51
Location: Ohio
NateM wrote:
... Anyone know what went down? It was fine a few days ago.


I'm sure Kevin will have Joomlify.com back up soon. The datacenter was having some issues but it looked like those were being addressed last week. I don't know what this current blackout was caused by, but waiting on files directly from Joomlify.com would be the best place to get current versions of mojoBlog (beta 0.16).

_________________
Steve


Last edited by cmyksteve on Tue Feb 26, 2008 4:38 am, edited 1 time in total.

Top
 Profile  
 
PostPosted: Mon Feb 25, 2008 6:34 pm 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Fri Sep 02, 2005 8:45 pm
Posts: 103
Location: Peru - The Land for All Your Senses
ok, hope it will be soon, thank you!
anyway do you know any alternative download page?
thanks
Javier

_________________
Javier Yep Garcia
SEO & Website Solutions Expert
http://www.godmarketing.com
http://www.javieryep.com


Top
 Profile  
 
PostPosted: Tue Feb 26, 2008 12:55 am 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Sat Aug 20, 2005 5:20 am
Posts: 51
Location: Ohio
Joomlify.com is back up.
Here's a link to the current version of mojoBlog from the download area-
http://www.joomlify.com/component/optio ... Itemid,53/

_________________
Steve


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 21 posts ] 



Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group