SECUNIA ADVISORY ID:
SA40987

VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/40987/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=40987

RELEASE DATE:
2010-08-19
DESCRIPTION:
Two vulnerabilities have been reported in the JGrid component for
Joomla, which can be exploited by malicious people to disclose
potentially sensitive information and conduct SQL injection attacks.

1) Input passed to the "controller" parameter in index.php (when
"option" is set to "com_jgrid") is not properly verified before being
used to include files. This can be exploited to include arbitrary
files from local resources via directory traversal attacks and
URL-encoded NULL bytes.

2) Input passed via unspecified parameters is not properly sanitised
before being used in a SQL query. This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code.

The vulnerabilities are reported in version 1.0. Other versions may
also be affected.

SOLUTION:
Update to version 1.1.

PROVIDED AND/OR DISCOVERED BY:
1) Salvatore Fresta aka Drosophila.
2) Reported by the vendor.

ORIGINAL ADVISORY:
Salvatore Fresta:
http://www.salvatorefresta.net/?opt=newsid&id=44

JGrid:
http://www.datagrids.clubsareus.org/index.php?view=article&catid=1:latest-news&id=45:jgrid-joomla-component-now-available
 

SECUNIA ADVISORY ID:
SA41017

VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/41017/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=41017

RELEASE DATE:
2010-08-18
DESCRIPTION:
A vulnerability has been reported in the onGallery component for
Joomla, which can be exploited by malicious people to conduct SQL
injection attacks.

Input passed via the "id" parameter to index.php (when "option" is
set to "com_ongallery" and "task" is set to "ft") is not properly
sanitised before being used in a SQL query. This can be exploited to
manipulate SQL queries by injecting arbitrary SQL code.

NOTE: This can further be exploited to conduct cross-site scripting
attacks via SQL error messages.

The vulnerability is reported in version 2.0.1. Other versions may
also be affected.

SOLUTION:
Edit the source code to ensure that input is properly sanitised.

PROVIDED AND/OR DISCOVERED BY:
al bayraqim

 

SECUNIA ADVISORY ID:
SA40933

VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/40933/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=40933

RELEASE DATE:
2010-08-11
DESCRIPTION:
Salvatore Fresta has discovered a vulnerability in the Teams
component for Joomla!, which can be exploited by malicious people to
conduct SQL injection attacks.

Input passed via the "PlayerID" parameter to index.php (when "option"
is set to "com_teams", "task" is set to "save", and "controller" is
set to "player") is not properly sanitised before being used in SQL
queries. This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.

The vulnerability is confirmed in version 1. Other versions may also
be affected.

SOLUTION:
Edit the source code to ensure that input is properly sanitised.

PROVIDED AND/OR DISCOVERED BY:
Salvatore Fresta aka Drosophila

ORIGINAL ADVISORY:
http://adv.salvatorefresta.net/Teams_1_1028_100809_1711_Joomla_Component_Multiple_Blind_SQL_Injection_Vulnerabilities-10082010.txt
 

SECUNIA ADVISORY ID:
SA40932

VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/40932/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=40932

RELEASE DATE:
2010-08-10
DESCRIPTION:
Salvatore Fresta has discovered some vulnerabilities in the Amblog
component for Joomla!, which can be exploited by malicious people to
conduct SQL injection attacks.

1) Input passed via the "catid" parameter to index.php (when "option"
is set to "com_amblog" and "view" is set to "amblog") is not properly
sanitised before being used in SQL queries. This can be exploited to
manipulate SQL queries by injecting arbitrary SQL code.

2) Input passed via the "catid" parameter to index.php (when "option"
is set to "com_amblog" and "task" is set to "newform") is not properly
sanitised before being used in SQL queries. This can be exploited to
manipulate SQL queries by injecting arbitrary SQL code.

3) Input passed via the "articleid" parameter to index.php (when
"option" is set to "com_amblog" and "task" is set to "article",
"editform", "editcommentform", "savenewcomment", "saveeditcomment",
"editsave", or "delete") is not properly sanitised before being used
in SQL queries. This can be exploited to manipulate SQL queries by
injecting arbitrary SQL code.

The vulnerabilities are confirmed in version 1.0. Other versions may
also be affected.

SOLUTION:
Edit the source code to ensure that input is properly sanitised.

PROVIDED AND/OR DISCOVERED BY:
Salvatore Fresta aka Drosophila

ORIGINAL ADVISORY:
http://adv.salvatorefresta.net/Amblog_1.0_Joomla_Component_Multiple_SQL_Injection_Vulnerabilities-10082010.txt

 

Joomla! ได้ประกาศเวอร์ชันใหม่ออกมาแล้ว คือ Joomla 1.6 เบต้า 7 (ดาวน์โหลดที่นี่) หมายเหตุ: รุ่นเบต้านี้ยังไม่สามารถทำงานได้กับส่วนเสริมอื่นๆ ไม่แนะนำให้ใช้ทำเว็บไซต์จริง ซึ่งออกมาเพื่อที่จะใช้สำหรับการทดลอง และประเมินผลเท่านั้น

ตั้งแต่ Joomla 1.6 beta 6 ถูกปล่อยออกมาเมื่อวันที่ 26 กรกฏาคม ทางทีมได้ทำการแก้ไขไปแล้ว 85 ปัญหาจากที่ได้มีการรายงานเข้ามา ดังนั้นความก้าวหน้าในรุ่นนี้ จะเกี่ยวข้องกับการแก้ไขให้ทำงานได้ดียิ่งขึ้นจากความพยายามของทีม Joomla! Bug Squad ดังนั้นเราขอบคุณสำหรับการทำงานหนักของทีม ซึ่งทำให้การทำงานของระบบมั่นคงขึ้น!

คุณสามารถดูรายละเอียดของการเปลี่ยนแปลงในรุ่นนี้จากในไฟล์ CHANGELOG.php

ถัดจากนี้ไป จะมีอะไร?

SECUNIA ADVISORY ID:
SA40926

VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/40926/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=40926

RELEASE DATE:
2010-08-09
DESCRIPTION:
Salvatore Fresta has discovered some vulnerabilities in the
cgTestimonial component for Joomla!, which can be exploited by
malicious users and malicious people to compromise a vulnerable
system and by malicious people to conduct cross-site scripting
attacks.

1) Input passed to the "url" parameter in
components/com_cgtestimonial/video.php is not properly sanitised
before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a users browser session in context
of an affected site.

2) An error in the components/com_cgtestimonial/cgtestimonial.php
script allows upload of files with arbitrary extensions to a folder
inside the web root. This can be exploited to execute arbitrary PHP
code by uploading a PHP file with e.g. an "image/jpg" content type.

3) An error in the
administrator/components/com_cgtestimonial/testimonial.php script
allows upload of files with arbitrary extensions to a folder inside
the web root. This can be exploited to execute arbitrary PHP code by
uploading a PHP file with e.g. an "image/jpg" content type.

Successful exploitation of this vulnerability requires "Public
Back-end" permissions.

The vulnerabilities are confirmed in version 1.0. Other versions may
also be affected.

SOLUTION:
Edit the source code to ensure that input is properly sanitised.
Restrict access to the components/com_cgtestimonial/user_images
directory (e.g. via .htaccess)

PROVIDED AND/OR DISCOVERED BY:
Salvatore Fresta aka Drosophila

ORIGINAL ADVISORY:
http://adv.salvatorefresta.net/cgTestimonial_2.2_Joomla_Component_Multiple_Remote_Vulnerabilities-06082010.txt