[VIM] Joomla Media Local File Inclusion

rkeith rkeith at securityfocus.com
Wed Apr 6 11:51:02 CDT 2011

Hey George,

Sorry for the delay, was on vaca.

I agree, looking at the source of that file, it has always just been a series of class definitions, calling it directly would do nothing.

Since May 2010, that file also has protections against calling it directly. Calling this not a vuln, and retiring the BID.


On 03/30/2011 04:57 AM, George A. Theall wrote:
> Bugtraq 47043 looks questionable to me. There's no list of versions affected or explanation of the vulnerability other than the PoC:
>   http://www.example.com/[path]/components/com_media/helpers/media.php?file=[LFI]%00
> And while Joomla includes the component in its distribution file in many versions (it doesn't in Joomla 1.0.15, the only version from the 1.0.x series
> I checked), the supposedly affected file is nothing more than a class file. It doesn't include / require any other files nor have calls to include()
> or require() or its variants. At least in Joomla versions 1.5.22, 1.6.1 (both current), 1.5.12, or 1.5.5.
> Any thoughts, Rob?
> George

More information about the VIM mailing list