Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2013.0094
A vulnerability has been identified in Joomla!
5 August 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Joomla!
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Create Arbitrary Files -- Remote/Unauthenticated
Resolution: Patch/Upgrade
Member content until: Wednesday, September 4 2013
OVERVIEW
A vulnerability has been identified in Joomla! prior to versions 3.1.5
and 2.5.14. [1, 2]
IMPACT
The vendor has provided the following information:
"[20130801] - Core - Unauthorised Uploads
Project: Joomla!
SubProject: All
Severity: Critical
Versions: 2.5.13 and earlier 2.5.x versions. 3.1.4 and earlier 3.x
versions.
Exploit type: Unauthorised Uploads
Reported Date: 2013-June-25
Fixed Date: 2013-July-31
CVE Number: Pending
Description
Inadequate filtering leads to the ability to bypass file type upload
restrictions.
Affected Installs
Joomla! version 2.5.13 and earlier 2.5.x versions; and version 3.1.4
and earlier 3.x versions.
Solution
Upgrade to version 2.5.14 or 3.1.5.
Contact
The JSST at the Joomla! Security Center.
Reported By: Jens Hinrichsen." [3]
MITIGATION
The vendor recommends updating to the latest versions of Joomla! to
correct these issues. [1 - 3]
REFERENCES
[1] Joomla! 2.5.14 Released
http://www.joomla.org/announcements/release-news/5506-joomla-2-5-14-released.html
[2] Joomla! 3.1.5 Stable Released
http://www.joomla.org/announcements/release-news/5505-joomla-3-1-5-stable-released.html
[3] [20130801] - Core - Unauthorised Uploads
http://developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUf7yUBLndAQH1ShLAQKydhAAsnfNY3aXjb0m888D5E9iEi8PQxsxr5+l
dmiRfrIR6LEnat1DFOF4T7heiJi7XsyB+UEnJ7xUDHgdg34Xf6iRQwvXWAh2sSgc
tPtG1XyjwOqmxUrWlMFKiXhYrie7h5RS4nJmTMBZ6fmNyChOTMNjWy7jNSlPY0bG
lHAnJJJVjGLMVxmnL1iKZJNWTh0PBrVoxBx4SqRcIVOp3Xwb8kFDV8Bj/wC4uS2F
WatGGiFLYkIbHcY1ex2QKdnmAcqIbz0BsBqaDQ8Gr77H6ackvdNXF6hCmrC2G5oI
aqSrVUEF+Rwpcw6+HR6fMr6KFGoOvdmnpB4X4wGqHtDekanorHDHy/SZO1MVanNO
jHlXanR1RX4AJIqj3IObWGbrMHg1UrKW+9uZmyUDvQAqkQZVmqI5PfLbfdDPNv7i
GUewILGg/lzs8tpwNbiqdBrpseVyZqrs1LmzsxTAToHODMfSvHgoTL8O3ADgVWFm
n4I31fTROljcqLxwtrswLjyhO0BY2NaYLkQnAPVX3/x5LZ7MEylV9HxRmwHnmALM
pY5yDsu7I4+Bt06gdwLcT4hA0jC2GSV+647eCJa4yKvKanPKhqS0OmTXJJSH1asK
aeDZHE/tMpJ2rMCNW0NA7H2jO6uMO8ZQUbYeSPI8mF2v0CI6wrOXMGMwkMvg8j7k
+zmJSzylxec=
=m2QY
-----END PGP SIGNATURE-----