DESCRIPTION: A vulnerability has been discovered in the Graphics component for Joomla, which can be exploited by malicious people to disclose potentially sensitive information.
Input passed to the "controller" parameter in index.php (when "option" is set to "com_graphics") is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal attacks and URL-encoded NULL bytes.
The vulnerability is confirmed in version 1.5.0. Other versions may also be affected.
SOLUTION: Edit the source code to ensure that input is properly verified.
DESCRIPTION: A weakness and a vulnerability have been reported in Joomla, which can be exploited by malicious people to disclose sensitive information and conduct session fixation attacks.
1) The weakness is caused due to password reset tokens being stored in plain text in the database, which can be exploited to reset a user's password if the token can be disclosed (e.g. by exploiting a SQL injection vulnerability).
2 )The vulnerability is caused due to an error in the handling of sessions and can be exploited to hijack another user's session by tricking the user into logging in after following a specially crafted link.
NOTE: Errors in the Installer Migration Script and in handling of Limit and Offset queries were also fixed.
The weakness and the vulnerability are reported in versions prior to 1.5.16.
SOLUTION: Update to version 1.5.16 or later.
PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Madis Abel. 2) The vendor credits Raul Siles and Steven Pignataro.
DESCRIPTION: A vulnerability and a security issue have been discovered in the Portfolio component for Joomla!, which can be exploited by malicious people to enumerate files on an affected system and to compromise a vulnerable system.
1) phpThumb.php returns different error messages depending on the existence of the file passed via the "src" parameter. This can be exploited to enumerate existing files on the local system via directory traversal sequences.
2) Input passed via the "fltr[]" parameter to components/com_portfolio/includes/phpthumb/phpThumb.php can be exploited to inject and execute arbitrary shell commands
For more information: SA39556
The security issue and the vulnerability are confirmed in version 2.0.2. Other versions may also be affected.
SOLUTION: Edit the source code to ensure that input is properly sanitised.
PROVIDED AND/OR DISCOVERED BY: 1) Mr.tro0oqy 2) Originally reported in phpThumb() by an anonymous person.
