SECUNIA ADVISORY ID:
SA28980

VERIFY ADVISORY:
http://secunia.com/advisories/28980/

CRITICAL:
Moderately critical

IMPACT:
Manipulation of data, Exposure of sensitive information

WHERE:
>From remote

SOFTWARE:
Quiz 0.x (component for Joomla)
http://secunia.com/product/17582/

DESCRIPTION:
S@BUN has discovered a vulnerability in the Quiz component for
Joomla!, which can be exploited by malicious people to conduct SQL
injection attacks.

For more information:
SA28940

The vulnerability is confirmed in version 0.81. Other versions may
also be affected.

SOLUTION:
Edit the source code to ensure that input is properly sanitised.

PROVIDED AND/OR DISCOVERED BY:
S@BUN

ORIGINAL ADVISORY:
http://milw0rm.com/exploits/5119

OTHER REFERENCES:
SA28940:
http://secunia.com/advisories/28940/

SECUNIA ADVISORY ID:
SA28883

VERIFY ADVISORY:
http://secunia.com/advisories/28883/

CRITICAL:
Moderately critical

IMPACT:
Manipulation of data, Exposure of sensitive information

WHERE:
>From remote

SOFTWARE:
Rapid Recipe 1.x (component for Joomla)
http://secunia.com/product/17541/

DESCRIPTION:
breaker_unit has discovered two vulnerabilities in the Rapid Recipe
component for Joomla!, which can be exploited by malicious people to
conduct SQL injection attacks.

Input passed to the "category_id" parameter (when "page" is set to
"viewcategorysrecipes") and "user_id" (when "page" is set to
"showuser") in the Joomla! installation's index.php script (when
"option" is set to "com_rapidrecipe") is not properly sanitised
before being used in SQL queries. This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code.

Successful exploitation allows e.g. retrieving administrator
usernames and password hashes, but requires knowledge of the database
table prefix.

The vulnerabilities are confirmed in version 1.6.5. Other versions
may also be affected.

SOLUTION:
Filter malicious characters and character sequences using a web
proxy.

PROVIDED AND/OR DISCOVERED BY:
breaker_unit

SECUNIA ADVISORY ID:
SA28861

VERIFY ADVISORY:
http://secunia.com/advisories/28861/

CRITICAL:
Moderately critical

IMPACT:
Manipulation of data

WHERE:
>From remote

SOFTWARE:
Joomla! 1.x
http://secunia.com/product/5788/

DESCRIPTION:
A vulnerability has been reported in Joomla!, which can be exploited
by malicious people to manipulate certain data.

The vulnerability is caused due to an error within XML-RPC in
combination with the blogger API plugin, which can be exploited to
manipulate or delete articles.

Successful exploitation requires that the blogger API plugin is
enabled.

The vulnerability is reported in version 1.5. Prior versions may also
be affected.

SOLUTION:
Update to version 1.5.1.
http://joomlacode.org/gf/project/joomla/frs/

PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.

ORIGINAL ADVISORY:
http://www.joomla.org/component/option,com_jd-wp/Itemid,105/p,486/

SECUNIA ADVISORY ID:
SA28736

VERIFY ADVISORY:
http://secunia.com/advisories/28736/

CRITICAL:
Moderately critical

IMPACT:
Manipulation of data, Exposure of sensitive information

WHERE:
>From remote

SOFTWARE:
NeoReferences 1.x (component for Joomla)
http://secunia.com/product/17422/

DESCRIPTION:
S@BUN has discovered a vulnerability in the NeoReferences component
for Joomla, which can be exploited by malicious people to conduct SQL
injection attacks.

Input passed to the "catid" parameter in the Joomla installation's
index.php script (when "option" is set to "com_neoreferences") is not
properly sanitised before being used in SQL queries. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation allows e.g. retrieving administrator
usernames and password hashes, but requires knowledge of the database
table prefix.

The vulnerability is confirmed in version 1.3.3 and reported in
version 1.3.1. Other versions may also be affected.

SOLUTION:
Edit the source code to ensure that input is properly sanitised.

PROVIDED AND/OR DISCOVERED BY:
S@BUN

ORIGINAL ADVISORY:
http://milw0rm.com/exploits/5034

SECUNIA ADVISORY ID:
SA28722

VERIFY ADVISORY:
http://secunia.com/advisories/28722/

CRITICAL:
Moderately critical

IMPACT:
Cross Site Scripting, Exposure of system information, Exposure of
sensitive information

WHERE:
>From remote

SOFTWARE:
VirtueMart 1.x
http://secunia.com/product/11832/
VirtueMart Joomla! eCommerce Edition 1.x
http://secunia.com/product/12169/

DESCRIPTION:
Two vulnerabilities have been reported in VirtueMart, which can be
exploited by malicious people to conduct cross-site request forgery
attacks or to disclose sensitive information.

1) Input passed to the application when viewing a product is not
properly verified before being used to read files. This can be
exploited to read arbitrary files from local resources.

2) The application allows users to perform certain actions via HTTP
requests without performing any validity checks to verify the
request. This can be exploited to perform restricted actions by
tricking a user into opening a malicious webpage.

The vulnerabilities are reported in versions prior to 1.0.14.

SOLUTION:
Update to version 1.0.14 or apply patches.
https://dev.virtuemart.net/cb/proj/doc.do?doc_id=1006

PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.

ORIGINAL ADVISORY:
1) http://virtuemart.net/index.php?option=com_content&task=view&id=275&Itemid=127
2) http://virtuemart.net/index.php?option=com_content&task=view&id=276&Itemid=127

SECUNIA ADVISORY ID:
SA28219

VERIFY ADVISORY:
http://secunia.com/advisories/28219/

CRITICAL:
Less critical

IMPACT:
Cross Site Scripting

WHERE:
>From remote

SOFTWARE:
Joomla! 1.x
http://secunia.com/product/5788/

DESCRIPTION:
Some vulnerabilities have been reported in Joomla!, which can be
exploited by malicious users to conduct script insertion attacks and
by malicious people to conduct cross-site request forgery attacks.

1) Some vulnerabilities are caused due to various components and
modules for Joomla! allowing users to perform certain actions via
HTTP requests, without performing any validity checks to verify the
request. This can be exploited to e.g. add new super administrators.

2) Input passed via the poll options and the poll title in the
com_poll component is not properly sanitised before being used. This
can be exploited to insert arbitrary HTML and script code, which will
be executed in a user's browser session in context of an affected site
when viewing a page containing a malicious poll.

Successful exploitation requires privileges to edit polls.

SOLUTION:
Restrict access to trusted users only and edit the source code to
ensure that input is properly sanitised. Do not browser other
websites while being logged in into Joomla!.

Some of the vulnerabilities are fixed in Joomla! 1.5 RC4.

PROVIDED AND/OR DISCOVERED BY:
1) Armando Romeo aka Zinho and Jose Carlos Nieto
2) Armando Romeo aka Zinho

ORIGINAL ADVISORY:
1) http://www.hackerscenter.com/archive/view.asp?id=28138
2) http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=7358