dangerous vulnirabilty in joomla 1.5beta2
- stiwa10
- I've been banned!
- Posts: 142
- Joined: Fri May 25, 2007 10:57 pm
- Location: morocco
- Contact:
dangerous vulnirabilty in joomla 1.5beta2
hello
an dangerous vulnirability has been detected on joomla 1.5beta2 (Remote command execution)
Vulnerability overview:
-----------------------
The search component of Joomla! allows an attacker to execute arbitrary
PHP commands. It is e.g. possible to execute OS commands via system()
calls. PHP is set to the settings recommended by the Joomla! installer!
An attacker does not need to be authenticated to perform this attack!
Vulnerability description:
--------------------------
The following scripts of a default Joomla! 1.5 beta 2 installation
contain the vulnerable code:
1) components/com_search/views/search/tmpl/default_results.php
line 12: result .'";'); ?>
2) templates/beez/html/com_search/search/default_results.php
line 25: echo '' . eval ('echo "' . $this->result . '";');
Input of the "searchword" parameter is being passed to the mentioned
eval() code and executed. An attacker is able to append new PHP commands
after the "echo" language construct which can be used for OS command
execution.
In order to bypass the search word length limitation of 20 characters a
new GET parameter is being used to specify the OS commands (see proof of
concept).
you can read more here http://www.milw0rm.com/exploits/4212
an dangerous vulnirability has been detected on joomla 1.5beta2 (Remote command execution)
Vulnerability overview:
-----------------------
The search component of Joomla! allows an attacker to execute arbitrary
PHP commands. It is e.g. possible to execute OS commands via system()
calls. PHP is set to the settings recommended by the Joomla! installer!
An attacker does not need to be authenticated to perform this attack!
Vulnerability description:
--------------------------
The following scripts of a default Joomla! 1.5 beta 2 installation
contain the vulnerable code:
1) components/com_search/views/search/tmpl/default_results.php
line 12: result .'";'); ?>
2) templates/beez/html/com_search/search/default_results.php
line 25: echo '' . eval ('echo "' . $this->result . '";');
Input of the "searchword" parameter is being passed to the mentioned
eval() code and executed. An attacker is able to append new PHP commands
after the "echo" language construct which can be used for OS command
execution.
In order to bypass the search word length limitation of 20 characters a
new GET parameter is being used to specify the OS commands (see proof of
concept).
you can read more here http://www.milw0rm.com/exploits/4212
Last edited by infograf768 on Mon Jul 23, 2007 6:06 am, edited 1 time in total.
- Hackwar
- Joomla! Virtuoso
- Posts: 3788
- Joined: Fri Sep 16, 2005 8:41 pm
- Location: NRW - Germany
- Contact:
Re: dangerous vulnirabilty in joomla 1.5beta2
Joomla! 1.5 Beta2 was not meant for productive use, since exactly those security checks were not made. 2 weeks ago, this vulnerability was fixed in the trunk.
god doesn't play dice with the universe. not after that drunken night with the devil where he lost classical mechanics in a game of craps.
Since the creation of the Internet, the Earth's rotation has been fueled, primarily, by the collective spinning of English teachers in their graves.
Since the creation of the Internet, the Earth's rotation has been fueled, primarily, by the collective spinning of English teachers in their graves.
Re: dangerous vulnirabilty in joomla 1.5beta2
Moderator note: moving from Development 1.5 to New J1.5 Forum Section
-
- Joomla! Champion
- Posts: 7018
- Joined: Wed Nov 22, 2006 3:35 pm
- Location: Nebraska
- Contact:
Re: dangerous vulnirabilty in joomla 1.5beta2
In case someone hasn't heard the good news, we are now at Joomla! v 1.5 RC 1 where this problem does *not* exist.
-
- Joomla! Explorer
- Posts: 265
- Joined: Sun Jun 11, 2006 10:51 am
- Location: Finland
Re: dangerous vulnirabilty in joomla 1.5beta2
In todays world, beta so often means usable, that if one wants to avoid using its products better name it alpha.
- willebil
- Joomla! Guru
- Posts: 762
- Joined: Thu Aug 18, 2005 12:06 pm
- Location: Netherlands
Re: dangerous vulnirabilty in joomla 1.5beta2
Hannul, we have been very explicit on not using the beta's on production sites.
Alpha = API is subject to change, functionality is not fully ready
Beta = API is not subject to change (at least we will try), but code is not prouction readyy
RC = code is considered production ready, last status before we go life
Stable = code is fully ready, release goes into maintenance mode (only maintanance releases will be done, and we move on to the next major/minor versions)
See also the development strategy for an in depth explaination --> http://dev.joomla.org/Joomla!%20Develop ... .v.1.0.pdf
Alpha = API is subject to change, functionality is not fully ready
Beta = API is not subject to change (at least we will try), but code is not prouction readyy
RC = code is considered production ready, last status before we go life
Stable = code is fully ready, release goes into maintenance mode (only maintanance releases will be done, and we move on to the next major/minor versions)
See also the development strategy for an in depth explaination --> http://dev.joomla.org/Joomla!%20Develop ... .v.1.0.pdf
-
- Joomla! Explorer
- Posts: 265
- Joined: Sun Jun 11, 2006 10:51 am
- Location: Finland
Re: dangerous vulnirabilty in joomla 1.5beta2
I did not mean, that the fault is joomlas, but the fact is that there are products named beta (like googles many services) and codes with version numbers less that 1.0 (many Pear modules) that are fully usable. So it don't help anymore what J says, people don't read but act as they have used to. Assumption is that Beta = usable.
I don't think that joomla could have done it (versioning, warnings) any differently, but it is useless to assume that just saying that beta is not for production use is good enough.
There is another thing also, beta was launched to be tested, so it is safe to assume that while there are no "pruduction sites" out there, but test sites are and that those have been still indexed by google. Or is there something in beta distribution that prevents this?
To me it bytheway seemded, that security flaw was only usable, it beez was selected template, and rhuk_milyway is the default, so probably most of the test installations avoid this security flaw.
I don't think that joomla could have done it (versioning, warnings) any differently, but it is useless to assume that just saying that beta is not for production use is good enough.
There is another thing also, beta was launched to be tested, so it is safe to assume that while there are no "pruduction sites" out there, but test sites are and that those have been still indexed by google. Or is there something in beta distribution that prevents this?
To me it bytheway seemded, that security flaw was only usable, it beez was selected template, and rhuk_milyway is the default, so probably most of the test installations avoid this security flaw.
- Chris
- Joomla! Guru
- Posts: 812
- Joined: Sat Aug 20, 2005 3:58 am
- Location: Australia
- Contact:
Re: dangerous vulnirabilty in joomla 1.5beta2
If one wants to stop indexing and/or any one other than the owner of the site using it, there is .htaccess, robots.txt and other tricks to stop that I would think.hannul wrote:
There is another thing also, beta was launched to be tested, so it is safe to assume that while there are no "pruduction sites" out there, but test sites are and that those have been still indexed by google. Or is there something in beta distribution that prevents this?
And I suppose that is what one should do with test sites anyway.
There is no failure until you give up.
Chris
Chris
- nathandiehl
- Joomla! Champion
- Posts: 6044
- Joined: Fri Aug 19, 2005 3:03 pm
- Location: Indiana, USA
- Contact:
Re: dangerous vulnirabilty in joomla 1.5beta2
i am going to move this to the Beta2 board, as this vulnerabilty was in beta2, not in RC.
If you're new to Joomla, Please read Anna's Joomla! Tips: http://forum.joomla.org/viewtopic.php?t=5503
http://nathandiehl.com | Find out what makes me tick
http://nathandiehl.com | Find out what makes me tick