Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2013.0094 A vulnerability has been identified in Joomla! 5 August 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Joomla! Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Create Arbitrary Files -- Remote/Unauthenticated Resolution: Patch/Upgrade Member content until: Wednesday, September 4 2013 OVERVIEW A vulnerability has been identified in Joomla! prior to versions 3.1.5 and 2.5.14. [1, 2] IMPACT The vendor has provided the following information: "[20130801] - Core - Unauthorised Uploads Project: Joomla! SubProject: All Severity: Critical Versions: 2.5.13 and earlier 2.5.x versions. 3.1.4 and earlier 3.x versions. Exploit type: Unauthorised Uploads Reported Date: 2013-June-25 Fixed Date: 2013-July-31 CVE Number: Pending Description Inadequate filtering leads to the ability to bypass file type upload restrictions. Affected Installs Joomla! version 2.5.13 and earlier 2.5.x versions; and version 3.1.4 and earlier 3.x versions. Solution Upgrade to version 2.5.14 or 3.1.5. Contact The JSST at the Joomla! Security Center. Reported By: Jens Hinrichsen." [3] MITIGATION The vendor recommends updating to the latest versions of Joomla! to correct these issues. [1 - 3] REFERENCES [1] Joomla! 2.5.14 Released http://www.joomla.org/announcements/release-news/5506-joomla-2-5-14-released.html [2] Joomla! 3.1.5 Stable Released http://www.joomla.org/announcements/release-news/5505-joomla-3-1-5-stable-released.html [3] [20130801] - Core - Unauthorised Uploads http://developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUf7yUBLndAQH1ShLAQKydhAAsnfNY3aXjb0m888D5E9iEi8PQxsxr5+l dmiRfrIR6LEnat1DFOF4T7heiJi7XsyB+UEnJ7xUDHgdg34Xf6iRQwvXWAh2sSgc tPtG1XyjwOqmxUrWlMFKiXhYrie7h5RS4nJmTMBZ6fmNyChOTMNjWy7jNSlPY0bG lHAnJJJVjGLMVxmnL1iKZJNWTh0PBrVoxBx4SqRcIVOp3Xwb8kFDV8Bj/wC4uS2F WatGGiFLYkIbHcY1ex2QKdnmAcqIbz0BsBqaDQ8Gr77H6ackvdNXF6hCmrC2G5oI aqSrVUEF+Rwpcw6+HR6fMr6KFGoOvdmnpB4X4wGqHtDekanorHDHy/SZO1MVanNO jHlXanR1RX4AJIqj3IObWGbrMHg1UrKW+9uZmyUDvQAqkQZVmqI5PfLbfdDPNv7i GUewILGg/lzs8tpwNbiqdBrpseVyZqrs1LmzsxTAToHODMfSvHgoTL8O3ADgVWFm n4I31fTROljcqLxwtrswLjyhO0BY2NaYLkQnAPVX3/x5LZ7MEylV9HxRmwHnmALM pY5yDsu7I4+Bt06gdwLcT4hA0jC2GSV+647eCJa4yKvKanPKhqS0OmTXJJSH1asK aeDZHE/tMpJ2rMCNW0NA7H2jO6uMO8ZQUbYeSPI8mF2v0CI6wrOXMGMwkMvg8j7k +zmJSzylxec= =m2QY -----END PGP SIGNATURE-----