Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 27 Jun 2011 15:53:27 +0800
From: YGN Ethical Hacker Group <lists@...g.net>
To: oss-security@...ts.openwall.com
Cc: incidents@...rt.org, henri@...v.fi
Subject: Re: CVE request: Joomla unspecified information
 disclosure vulnerability

Path Disclosure should better be regarded as more closely related to
server-side issue.
It may be too redundant or unnecessary to create one path disclosure
issue per CVE.

Another Path Disclosure issue in Joomla! 1.6.1

http://bl0g.yehg.net/2011/04/joomla-161-and-lower-information.html


Almost all php CMS applications have this issue going on where  some
of them are listed at:

http://code.google.com/p/inspathx/source/browse/#svn%2Ftrunk%2Fpaths_vuln


---------------------------------
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd



On Fri, Jun 24, 2011 at 3:46 AM, Josh Bressers <bressers@...hat.com> wrote:
>
>
> ----- Original Message -----
>> Couldn't find a CVE-identifier for this issue. Joomla does have too
>> many vulnerabilities. Joomla prior to 1.5.23 contains a flaw that may
>> lead to an unauthorized information disclosure. Should this one get a
>> 2010 or 2011 identifier?
>>
>> Reported: 2010-12-08
>> Joomla advisory: 2011-04-01
>> Release with a fix (version 1.5.23): 2011-04-04
>>
>> References:
>> http://developer.joomla.org/security/news/9-security/10-core-security/340-20110401-core-information-disclosure.html
>> http://www.joomla.org/announcements/release-news/5367-joomla-1523-released.html
>> http://osvdb.org/show/osvdb/71587
>> http://secunia.com/advisories/44028/
>>
>> I hope this request isn't duplicate. I included oCERT to this email as
>> Joomla is part of that group. Please notify me and mailing-list if
>> this issue already has a CVE-identifier.
>>
>
> I'm giving this CVE-2011-2488.
>
> While the flaw was reported in 2010 they claim, I consider 2011 when
> it went public.
>
> Thanks.
>
> --
>    JB
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ