[VIM] Joomla Component com_ponygallery Remote File Inclusion Vulnerabilities

George A.Theall theall at tenable.com
Thu Dec 23 09:19:20 CST 2010

The issues covered by Exploit DB 15814 / Bugtraq 45558 don't seem  
valid to me. The script link in the Exploit DB advisory doesn't work  
(because it seems to use a session id in it) but if you download  
version 2.5.1 from Joomlaos.de and look at the affected files you'll  
see each has as its first line of code:

   defined( '_VALID_MOS' ) or die( 'Direct Access to this location is  
not allowed.' );

Thus, neither issue is exploitable as described in AtT4CKxT3rR0r1ST's  

Also, that line of code also exists in the files in older versions of  
the component that I was able to find -- 2.4.1 and 1.1.2.

theall at tenablesecurity.com

More information about the VIM mailing list