[VIM] Joomla Media Local File Inclusion
rkeith
rkeith at securityfocus.com
Wed Apr 6 11:51:02 CDT 2011
Hey George,
Sorry for the delay, was on vaca.
I agree, looking at the source of that file, it has always just been a series of class definitions, calling it directly would do nothing.
Since May 2010, that file also has protections against calling it directly. Calling this not a vuln, and retiring the BID.
-Rob
On 03/30/2011 04:57 AM, George A. Theall wrote:
> Bugtraq 47043 looks questionable to me. There's no list of versions affected or explanation of the vulnerability other than the PoC:
>
> http://www.example.com/[path]/components/com_media/helpers/media.php?file=[LFI]%00
>
> And while Joomla includes the component in its distribution file in many versions (it doesn't in Joomla 1.0.15, the only version from the 1.0.x series
> I checked), the supposedly affected file is nothing more than a class file. It doesn't include / require any other files nor have calls to include()
> or require() or its variants. At least in Joomla versions 1.5.22, 1.6.1 (both current), 1.5.12, or 1.5.5.
>
> Any thoughts, Rob?
>
>
> George
More information about the VIM
mailing list