FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

joomla -- multiple vulnerabilities

Affected packages
1.5.1 <= joomla15 <= 1.5.15

Details

VuXML ID 8d10038e-515c-11df-83fb-0015587e2cc1
Discovery 2010-04-23
Entry 2010-04-26

Joomla! reported the following vulnerabilities:

If a user entered a URL with a negative query limit or offset, a PHP notice would display revealing information about the system..

The migration script in the Joomla! installer does not check the file type being uploaded. If the installation application is present, an attacker could use it to upload malicious files to a server.

Session id doesn't get modified when user logs in. A remote site may be able to forward a visitor to the Joomla! site and set a specific cookie. If the user then logs in, the remote site can use that cookie to authenticate as that user.

When a user requests a password reset, the reset tokens were stored in plain text in the database. While this is not a vulnerability in itself, it allows user accounts to be compromised if there is an extension on the site with an SQL injection vulnerability.

References

URL http://developer.joomla.org/security/news/308-20100423-core-password-reset-tokens.html
URL http://developer.joomla.org/security/news/309-20100423-core-sessation-fixation.html
URL http://developer.joomla.org/security/news/310-20100423-core-installer-migration-script.html
URL http://developer.joomla.org/security/news/311-20100423-core-negative-values-for-limit-and-offset.html