Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 358609

Summary: www-apps/joomla: multiple vulnerabilities in 1.6.0
Product: Gentoo Security Reporter: Paweł Hajdan, Jr. (RETIRED) <phajdan.jr>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: trivial CC: fauli, oli.huber, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/43658/
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-03-12 20:28:49 UTC 
Multiple vulnerabilities have been reported in Joomla!, which can be exploited by malicious users to bypass certain security restrictions and cause a DoS (Denial of Service) and by malicious people to disclose sensitive information, conduct cross-site scripting and request forgery, and SQL injection attacks.

1) Certain unspecified input is not properly sanitised before being used. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

NOTE: This can further be exploited to disclose the installation path via SQL error messages.

2) Certain unhandled exceptions can be exploited to disclose the full installation path.

3) Certain double URL-encoded input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

4) Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

5) An error in the checking of access permissions can be exploited to disclose certain information.

6) Certain unspecified input is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary site e.g. when the user clicks a specially crafted link to the affected script hosted on a trusted domain.

7) Certain unspecified input is not properly sanitised before being used. This can be exploited to disclose potentially sensitive information.

8) An error in the handling of access permissions can be exploited to edit otherwise restricted files.

9) The application allows users to perform certain actions via HTTP requests without making proper validity checks to verify the requests. This can be exploited to perform certain unspecified actions within the application by tricking a user into visiting a malicious web site while being logged in to the application.

10) An error within the editor caching facility can be exploited to use all available disk space.

The vulnerabilities are reported in versions prior to 1.6.1.
Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-03-12 20:30:49 UTC 
Maintainers, please make sure the ebuild for joomla-1.6.1 is not hard masked and has at least the same keywords the previous ~arch ebuild has.
Comment 2 Christian Faulhammer (RETIRED) gentoo-dev 2011-03-13 10:55:31 UTC 
The hard mask will not be reverted as 1.6 is a major rewrite, and an upgrade is not so easily done.  Apart from this, the Secunia advisory is a bit misleading as 1.6.0 is the only affected version not anything below that, see the original Joomla! advisories.  From the Joomla! FAQ:

Question: how long will Joomla 1.5 and 1.6 be supported?
Joomla 1.5 is branded a Long Term Support Release (LTS)and will have support until the beginning of april 2012. Joomla 1.6 is a standard support release, and will be supported until august 2011. Joomla 1.7 should be released in july 2011. More about the development strategy can be found here: http://developer.joomla.org/strategy.html.

Additional KEYWORDS added.
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-03-22 22:27:53 UTC 
I've been through the Joomla advisories, most easily found at http://www.joomla.org/announcements/release-news/5350-joomla-161-released.html, and agree it looks like this only affected 1.6.0, which was never in the tree. 

http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/www-apps/joomla/?hideattic=0

Therefore, I do not think we have anything to do here; please reopen if you disagree. Thanks, everyone.