[VIM] False: JEvents1.4.1 For Joomla Remote File Include Vulnerability

George A. Theall theall at tenablesecurity.com
Fri Jun 8 18:06:22 UTC 2007


Milw0rm 4048 seems bogus to me. I grabbed the code from 
http://joomlacode.org/gf/download/frsrelease/502/11101/com_events_1.4.1.zip, 
which Blu3H47 claims is affected. The affected file starts:

                       ---- snip, snip, snip ----
<?php
/**
  * Events Component for Joomla 1.0.x
  *
  * @version     $Id: comutils.php 295 2006-12-06 09:20:53Z geraint $
  * @package     Events
  * @copyright   Copyright (C) 2006 JEvents Project Group
  * @licence     http://www.gnu.org/copyleft/gpl.html
  * @link        http://forge.joomla.org/sf/projects/jevents
  */

/*
  loads all required classes and file to support Events Component (Frontend)
*/

global $mainframe;

// first load config class
require_once(mosMainFrame::getBasePath('admin') . 
'components/com_events/lib/config.php');

                       ---- snip, snip, snip ----

Notice the version info here is the same as what Blu3H47 reports but the 
require_once() function can not be abused by an attacker. The date on 
'includes/comutils.php' in the ZIP file is 12-06-06 so it doesn't seem 
like the case of a quick fix after the vuln was announced. So what gives?



George
-- 
theall at tenablesecurity.com


More information about the VIM mailing list