[SATLUG] My new site...would like some feedback

Sexton, Art, ISD ASexton956 at Worldsavings.com
Tue Oct 10 07:59:13 CDT 2006 

The bug you mention is, again, in a 3rd party extention...community
builder:

"com_comprofiler Components

Application : com_comprofiler

version : 1.0 RC 2"

Also, this is an older version of community builder, 1.0 RC2 and the
current version is 1.0.1

And, even if they get in via this means, they only get access to the
admin console of Joomla and can only deface the site.  

One of the security benefits from a CMS like Joomla is that it can be
installed and then a password given to the user for maintenance.  After
this, there is no need to have a system user account, no shell access,
no ftp access, etc. 

Just my 2 cents.  

However, although security though obscurity is not ideal, one of the
things I usually do before putting a Joomla/Mambo site online is to
remove the tag showing what kind of CMS it is.  

Art Sexton


-----Original Message-----
From: satlug-bounces at satlug.org [mailto:satlug-bounces at satlug.org] On
Behalf Of K. Spoon
Sent: Tuesday, October 10, 2006 2:15 AM
To: The San Antonio Linux User's Group Mailing List
Subject: Re: [SATLUG] My new site...would like some feedback

On Mon, Oct 09, 2006 at 05:32:00PM -0500, Eli Cantu wrote:
> Do these exploits all use the account creation vector?

That depends on how the app handles authentication, which I don't have
the first clue about.

Just picking one of the CVEs at random, here's the bugtraq writeup for
the vulnerability:

http://www.securityfocus.com/archive/1/archive/444425/100/0/threaded

The exploit works if:

1) the php install accepts GET for variable definition
2) $mosConfig_path doesn't get overwritten
3) there's no authentication call before rendering the page (which looks
like the case here)

Then they're in even without having to have access to the site through a
valid username/password.
 
--
K. Spoon <kell at spoonix.com>
--
_______________________________________________
SATLUG mailing list
SATLUG at satlug.org
http://alamo.satlug.org/mailman/listinfo/satlug to unsubscribe Powered
by Rackspace (www.rackspace.com)


*****************************************************************************
If you are not the intended recipient of this e-mail, please notify 
the sender immediately. The contents of this e-mail do not amend 
any existing disclosures or agreements unless expressly stated.
*****************************************************************************

More information about the SATLUG mailing list