Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 27 Jun 2011 17:58:35 +0300
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com
Cc: incidents@...rt.org, lists@...g.net, bressers@...hat.com
Subject: Re: CVE request: Joomla unspecified information
 disclosure vulnerability

On Mon, Jun 27, 2011 at 03:53:27PM +0800, YGN Ethical Hacker Group wrote:
> Path Disclosure should better be regarded as more closely related to
> server-side issue.
> It may be too redundant or unnecessary to create one path disclosure
> issue per CVE.
> 
> Another Path Disclosure issue in Joomla! 1.6.1
> 
> http://bl0g.yehg.net/2011/04/joomla-161-and-lower-information.html
> 
> 
> Almost all php CMS applications have this issue going on where  some
> of them are listed at:
> 
> http://code.google.com/p/inspathx/source/browse/#svn%2Ftrunk%2Fpaths_vuln

I think this deserves own CVE-identifier as Joomla did announce security vulnerability. As far as I know the vulnerability was described as "Information Disclosure" not patch disclosure. Path disclosures should be fixed from software also, but usually it is a problem in web-server configuration. Do you have more information about issue CVE-2011-2488? Still no reply from Joomla security team regarding issue CVE-2011-2488. I asked more details nearly a week ago.

Btw. I would use domain example.org in advisories if I were you. You might not always want to keep that attacker.in domain.

Best regards,
Henri Salo

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ