[VIM] Joomla Media Local File Inclusion

George A. Theall theall at tenable.com
Wed Mar 30 05:57:32 CDT 2011


Bugtraq 47043 looks questionable to me. There's no list of versions  
affected or explanation of the vulnerability other than the PoC:

   http://www.example.com/[path]/components/com_media/helpers/ 
media.php?file=[LFI]%00

And while Joomla includes the component in its distribution file in  
many versions (it doesn't in Joomla 1.0.15, the only version from the  
1.0.x series I checked), the supposedly affected file is nothing more  
than a class file. It doesn't include / require any other files nor  
have calls to include() or require() or its variants. At least in  
Joomla versions 1.5.22, 1.6.1 (both current), 1.5.12, or 1.5.5.

Any thoughts, Rob?


George
-- 
theall at tenablesecurity.com





More information about the VIM mailing list