Joomla! Joomla Captcha Plugin "lng" Information Disclosure Vulnerability

SECUNIA ADVISORY ID:
SA42833

VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/42833/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=42833

RELEASE DATE:
2011-01-10
DESCRIPTION:
A vulnerability has been discovered in Joomla Captcha plugin for
Joomla!, which can be exploited by malicious people to disclose
potentially sensitive information.

Input passed via the "lng" parameter to
plugins/system/captcha/playcode.php is not properly verified before
being used. This can be exploited to read the contents of arbitrary
files from local resources via directory traversal sequences and
URL-encoded NULL bytes.

Successful exploitation requires that "magic_quotes_gpc" is
disabled.

The vulnerability is confirmed in version 4.5.1. Other versions may
also be affected.

SOLUTION:
Edit the source code to ensure that input is properly verified.

PROVIDED AND/OR DISCOVERED BY:
dun