Joomla! News

Joomla! Datafeeds Component "controller" Local File Inclusion Vulnerability

SECUNIA ADVISORY ID:
SA39360

VERIFY ADVISORY:
http://secunia.com/advisories/39360/

DESCRIPTION:
A vulnerability has been discovered in the Datafeeds component for
Joomla!, which can be exploited by malicious people to disclose
sensitive information.

Input passed via the "controller" parameter to index.php (when
"option" is set to "com_datafeeds") is not properly verified before
being used to include files. This can be exploited to include
arbitrary files from local resources via directory traversal
sequences and URL-encoded NULL bytes.

The vulnerability is confirmed in build 880. Other versions may also
be affected.

SOLUTION:
Edit the source code to ensure that input is properly verified.

PROVIDED AND/OR DISCOVERED BY:
AntiSecurity

Joomla! XOBBIX Component "prodid" SQL Injection Vulnerability

SECUNIA ADVISORY ID:
SA39312

VERIFY ADVISORY:
http://secunia.com/advisories/39312/

DESCRIPTION:
A vulnerability has been discovered in the XOBBIX component for
Joomla!, which can be exploited by malicious people to conduct SQL
injection attacks.

Input passed via the "prodid" parameter to index.php (when "option"
is set to "com_xobbix" and "task" is set to "prod_desc") is not
properly sanitised before being used in SQL queries. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.

The vulnerability has been confirmed in version 1.0.1. Other versions
may also be affected.

SOLUTION:
Edit the source code to ensure that input is properly sanitised.

PROVIDED AND/OR DISCOVERED BY:
AntiSecurity

Joomla! Seber Cart Component "view" Local File Inclusion Vulnerability

SECUNIA ADVISORY ID:
SA39355

VERIFY ADVISORY:
http://secunia.com/advisories/39355/

DESCRIPTION:
A vulnerability has been discovered in the Seber Cart component for
Joomla!, which can be exploited by malicious people to disclose
sensitive information.

Input passed via the "view" parameter to index.php (when "option" is
set to "com_sebercart") is not properly verified before being used to
include files. This can be exploited to include arbitrary files from
local resources via directory traversal sequences and URL-encoded
NULL bytes.

Successful exploitation requires that "magic_quotes_gpc" is
disabled.

The vulnerability is confirmed in version 1.0.0.13. Other versions
may also be affected.

SOLUTION:
Edit the source  code the source code to ensure that input is
properly verified.

PROVIDED AND/OR DISCOVERED BY:
AntiSecurity

Joomla! J!WHMCS Integrator Component "controller" Local File Inclusion Vulnerability

SECUNIA ADVISORY ID:
SA39356

VERIFY ADVISORY:
http://secunia.com/advisories/39356/

DESCRIPTION:
A vulnerability has been reported in the J!WHMCS Integrator component
for Joomla!, which can be exploited by malicious people to disclose
sensitive information.

Input passed via the "controller" parameter to index.php (when
"option" is set to "com_jwhmcs") is not properly verified before
being used to include files. This can be exploited to include
arbitrary files from local resources via directory traversal
sequences and URL-encoded NULL bytes.

SOLUTION:
Edit the source code to ensure that input is properly verified.

PROVIDED AND/OR DISCOVERED BY:
AntiSecurity

Joomla! VJDEO Component "controller" Local File Inclusion Vulnerability

SECUNIA ADVISORY ID:
SA39296

VERIFY ADVISORY:
http://secunia.com/advisories/39296/

DESCRIPTION:
A vulnerability has been discovered in the VJDEO component for
Joomla!, which can be exploited by malicious people to disclose
sensitive information.

Input passed via the "controller" parameter to index.php (when
"option" is set to "com_vjdeo") is not properly verified before being
used to include files. This can be exploited to include arbitrary
files from local resources via directory traversal sequences and
URL-encoded NULL bytes.

The vulnerability is confirmed in version 1.0.1. Other versions may
also be affected.

SOLUTION:
Edit the source code to ensure that input is properly verified.

PROVIDED AND/OR DISCOVERED BY:
Angela Zhang

iJoomla News Portal "controller" Local File Inclusion Vulnerability

SECUNIA ADVISORY ID:
SA39289

VERIFY ADVISORY:
http://secunia.com/advisories/39289/

DESCRIPTION:
A vulnerability has been reported in the iJoomla News Portal
component for Joomla!, which can be exploited by malicious people to
disclose sensitive information.

Input passed via the "controller" parameter to index.php (when
"option" is set to "com_news_portal") is not properly verified before
being used to include files. This can be exploited to include
arbitrary files from local resources via directory traversal
sequences and URL-encoded NULL bytes.

SOLUTION:
Edit the source code to ensure that input is properly verified.

PROVIDED AND/OR DISCOVERED BY:
AntiSecurity