dangerous vulnirabilty in joomla 1.5beta2

Please see sticky inside.
User avatar
stiwa10
I've been banned!
Posts: 142
Joined: Fri May 25, 2007 10:57 pm
Location: morocco
Contact:

dangerous vulnirabilty in joomla 1.5beta2

Postby stiwa10 » Sun Jul 22, 2007 9:21 pm

hello
an dangerous vulnirability has been detected on joomla 1.5beta2 (Remote command execution)

Vulnerability overview:
-----------------------

The search component of Joomla! allows an attacker to execute arbitrary
PHP commands. It is e.g. possible to execute OS commands via system()
calls. PHP is set to the settings recommended by the Joomla! installer!


An attacker does not need to be authenticated to perform this attack!
Vulnerability description:
--------------------------

The following scripts of a default Joomla! 1.5 beta 2 installation
contain the vulnerable code:

1) components/com_search/views/search/tmpl/default_results.php

line 12: result .'";'); ?>

2) templates/beez/html/com_search/search/default_results.php

line 25: echo '

' . eval ('echo "' . $this->result . '";');


Input of the "searchword" parameter is being passed to the mentioned
eval() code and executed. An attacker is able to append new PHP commands
after the "echo" language construct which can be used for OS command
execution.

In order to bypass the search word length limitation of 20 characters a
new GET parameter is being used to specify the OS commands (see proof of
concept).

you can read more here  http://www.milw0rm.com/exploits/4212

Last edited by infograf768 on Mon Jul 23, 2007 6:06 am, edited 1 time in total.
سبحان الله وبحمده سبحان الله العظيم
http://www.joomla35.us

User avatar
Hackwar
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3762
Joined: Fri Sep 16, 2005 8:41 pm
Location: NRW - Germany
Contact:

Re: dangerous vulnirabilty in joomla 1.5beta2

Postby Hackwar » Sun Jul 22, 2007 9:59 pm

Joomla! 1.5 Beta2 was not meant for productive use, since exactly those security checks were not made. 2 weeks ago, this vulnerability was fixed in the trunk.
god doesn't play dice with the universe. not after that drunken night with the devil where he lost classical mechanics in a game of craps.

Since the creation of the Internet, the Earth's rotation has been fueled, primarily, by the collective spinning of English teachers in their graves.

User avatar
Robin
Joomla! Master
Joomla! Master
Posts: 15753
Joined: Thu Aug 18, 2005 10:41 am

Re: dangerous vulnirabilty in joomla 1.5beta2

Postby Robin » Tue Jul 24, 2007 9:24 am

Moderator note: moving from Development 1.5 to New J1.5 Forum Section

AmyStephen
Joomla! Champion
Joomla! Champion
Posts: 7056
Joined: Wed Nov 22, 2006 3:35 pm
Location: Nebraska
Contact:

Re: dangerous vulnirabilty in joomla 1.5beta2

Postby AmyStephen » Tue Jul 24, 2007 2:51 pm

In case someone hasn't heard the good news, we are now at Joomla! v 1.5 RC 1 where this problem does *not* exist.

hannul
Joomla! Explorer
Joomla! Explorer
Posts: 265
Joined: Sun Jun 11, 2006 10:51 am
Location: Finland

Re: dangerous vulnirabilty in joomla 1.5beta2

Postby hannul » Tue Jul 24, 2007 4:01 pm

In todays world, beta so often means usable, that if one wants to avoid using its products better name it alpha.

User avatar
willebil
Joomla! Guru
Joomla! Guru
Posts: 764
Joined: Thu Aug 18, 2005 12:06 pm
Location: Netherlands

Re: dangerous vulnirabilty in joomla 1.5beta2

Postby willebil » Tue Jul 24, 2007 8:18 pm

Hannul, we have been very explicit on not using the beta's on production sites.

Alpha = API is subject to change, functionality is not fully ready
Beta = API is not subject to change (at least we will try), but code is not prouction readyy
RC = code is considered production ready, last status before we go life
Stable = code is fully ready, release goes into maintenance mode (only maintanance releases will be done, and we move on to the next major/minor versions)

See also the development strategy for an in depth explaination --> http://dev.joomla.org/Joomla!%20Develop ... .v.1.0.pdf

hannul
Joomla! Explorer
Joomla! Explorer
Posts: 265
Joined: Sun Jun 11, 2006 10:51 am
Location: Finland

Re: dangerous vulnirabilty in joomla 1.5beta2

Postby hannul » Wed Jul 25, 2007 8:11 am

I did not mean, that the fault is joomlas, but the fact is that there are products named beta (like googles many services) and codes with version numbers less that 1.0 (many Pear modules) that are fully usable. So it don't help anymore what J says, people don't read but act as they have used to. Assumption is that Beta = usable.

I don't think that joomla could have done it (versioning, warnings) any differently, but it is useless to assume that just saying that beta is not for production use is good enough.

There is another thing also, beta was launched to be tested, so it is safe to assume that while there are no "pruduction sites" out there, but test sites are and that those have been still indexed by google. Or is there something in beta distribution that prevents this?

To me it bytheway seemded, that security flaw was only usable, it beez was selected template, and rhuk_milyway is the default, so probably most of the test installations avoid this security flaw.

User avatar
Chris
Joomla! Guru
Joomla! Guru
Posts: 798
Joined: Sat Aug 20, 2005 3:58 am
Location: Australia

Re: dangerous vulnirabilty in joomla 1.5beta2

Postby Chris » Sat Jul 28, 2007 9:10 am

hannul wrote:
There is another thing also, beta was launched to be tested, so it is safe to assume that while there are no "pruduction sites" out there, but test sites are and that those have been still indexed by google. Or is there something in beta distribution that prevents this?



If one wants to stop indexing and/or any one other than the owner of the site using it, there is .htaccess, robots.txt and other tricks to stop that I would think.
And I suppose that is what one should do with test sites anyway.
There is no failure until you give up.

Chris

User avatar
nathandiehl
Joomla! Champion
Joomla! Champion
Posts: 6044
Joined: Fri Aug 19, 2005 3:03 pm
Location: Indiana, USA
Contact:

Re: dangerous vulnirabilty in joomla 1.5beta2

Postby nathandiehl » Tue Jul 31, 2007 4:00 pm

i am going to move this to the Beta2 board, as this vulnerabilty was in beta2, not in RC.
If you're new to Joomla, Please read Anna's Joomla! Tips: viewtopic.php?t=5503

http://nathandiehl.com | Find out what makes me tick


Return to “Joomla! 1.5 BETA 2”

Who is online

Users browsing this forum: No registered users and 1 guest