ISS X-Force Database: joomla-multiple-path-disclosure(25028): Joomla! syndication module or "mod

Joomla! syndication module or "mod_templatechooser" path disclosure

joomla-multiple-path-disclosure (25028)

Low Risk

Description:

Joomla! could allow a remote attacker to obtain sensitive information. A remote attacker could send specially-crafted statements to the syndication module or the "mod_templatechooser" to trigger error messages which could contain the installation path.

Platforms Affected:

Joomla!, Joomla! 1.0.7 and prior

Remedy:

Upgrade to the current version of Joomla! (version 1.0.8 or later) available from the Joomla! Web site. See References.

Consequences:

Obtain Information

References:

Bugtraq Mailing List, Thu Mar 02 2006 - 00:19:19 CST, JOOMLA CMS 1.0.7 DoS & path disclosing at http://archives.neohapsis.com/archives/bugtraq/2006-02/0601.html.
Joomla! Web site, Joomla! - Main at http://www.joomla.org/component/option,com_frontpage/Itemid,1/.
CVE-2006-1027: feedcreator.class.php (aka the syndication component) in Joomla! 1.0.7 allows remote attackers to obtain sensitive information via a / (slash) in the feed parameter to index.php, which reveals the path in an error message.
CVE-2006-1030: Unspecified vulnerability in mod_templatechooser in Joomla! 1.0.7 allows remote attackers to obtain sensitive information via an unspecified attack vector that reveals the path.
OSVDB ID: 23815: Joomla! Syndication Component Malformed Filename Path Disclosure
OSVDB ID: 23818: Joomla! mod_templatechooser Path Disclosure
SA19105: Joomla! Multiple Vulnerabilities
VUPEN/ADV-2006-0818: Joomla! Remote SQL Injection and Information Disclosure Vulnerabilities

Reported:

Mar 02, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page