DESCRIPTION:
Sammy Forgit has reported a vulnerability in the Easy Flash Uploader
module for Joomla!, which can be exploited by malicious people to
compromise a vulnerable system.
The vulnerability is caused due to the
plugins/content/efup_files/helper.php script allowing the upload of
files with arbitrary extensions to a folder inside the webroot. This
can be exploited to execute arbitrary PHP code by uploading a
malicious PHP script.
The vulnerability is reported in version 2.0. Prior versions may also
be affected.
SOLUTION:
Update to version 2.1.
PROVIDED AND/OR DISCOVERED BY:
Sammy Forgit, OpenSysCom
ORIGINAL ADVISORY:
Easy Flash Uploader:
https://www.valorapps.com/12-notices/27-easy-flash-uploader-version-2-1-is-released.html
DESCRIPTION:
Sammy Forgit has discovered a vulnerability in the Art Uploader
module for Joomla!, which can be exploited by malicious people to
compromise a vulnerable system.
The vulnerability is caused due to the
modules/mod_artuploader/upload.php script allowing the upload of
files with arbitrary extensions to a folder inside the webroot. This
can be exploited to execute arbitrary PHP code by uploading a
malicious PHP script.
The vulnerability is confirmed in version 1.0.1. Other versions may
also be affected.
SOLUTION:
Restrict access to the modules/mod_artuploader/upload.php script
(e.g. via .htaccess).
PROVIDED AND/OR DISCOVERED BY:
Sammy Forgit, OpenSysCom.
ORIGINAL ADVISORY:
OpenSysCom:
http://www.opensyscom.fr/Actualites/joomla-modules-art-uploader-arbitrary-file-upload-vulnerability.html
DESCRIPTION:
Secunia Research has discovered two vulnerabilities in the JCE
component for Joomla!, which can be exploited by malicious users to
bypass certain security restrictions and by malicious people to
conduct cross-site scripting attacks.
1) Input passed to the "search" parameter in administrator/index.php
(when "option" is set to "com_jce" and "view" is set to "users") is
not properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.
2) An error due to the
components/com_jce/editor/extensions/browser/file.php script not
properly verifying requests to rename files can be exploited to
rename e.g. core Joomla! configuration files, resulting in the
application becoming unavailable.
Successful exploitation of this vulnerability requires "Author"
privileges.
The vulnerabilities are confirmed in version 2.1.0. Other versions
may also be affected.
SOLUTION:
Update to version 2.1.3.
PROVIDED AND/OR DISCOVERED BY:
Jon Butler, Secunia.
ORIGINAL ADVISORY:
JCE:
http://www.joomlacontenteditor.net/news/item/jce-213-released?category_id=32
DESCRIPTION:
Secunia Research has discovered two vulnerabilities in the JCE
component for Joomla!, which can be exploited by malicious users to
compromise a vulnerable system and by malicious people to conduct
cross-site scripting attacks.
1) Input passed to the "search" parameter in administrator/index.php
(when "option" is set to "com_jce" and "view" is set to "profiles")
is not properly sanitised before being returned to the user. This can
be exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.
2) An error due to the
components/com_jce/editor/extensions/browser/file.php script (when
"chunk" is set to a value greater than "0") not properly verifying
uploaded files can be exploited to execute arbitrary PHP code by
uploading a PHP file with e.g. a ".jpg.pht" file extension.
Successful exploitation of this vulnerability requires "Author"
privileges.
The vulnerabilities are confirmed in version 2.0.21. Prior versions
may also be affected.
SOLUTION:
Update to version 2.1.0.
PROVIDED AND/OR DISCOVERED BY:
Jon Butler, Secunia.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2012-14/http://secunia.com/secunia_research/2012-15/
JCE:
http://www.joomlacontenteditor.net/news/item/jce-21-released?category_id=32
