Joomla! Developer - [20091103] - Core

Main Menu

Security Center Menu

Login Form

Subscribe to Joomla! Security Announcements - Click Here

Mon

Nov

2009

[20091103] - Core - XML File Read Issue

Monday, 02 November 2009 01:03

Project: Joomla!
SubProject: All
Severity: Low
Versions: 1.5.14 and all previous 1.5 releases
Exploit type: Extension Version Disclosure
Reported Date: 2009-October-13
Fixed Date: 2009-Nov-03

Description

It is possible to read the contents of an extension's XML file and find the version number of the installed extension. This could allow people to exploit a known security flaws for a specific version of an extension.

Affected Installs

All 1.5.x installs prior to and including 1.5.14 are affected.

Solution

Turn on Apache mod_rewrite and configure your .htaccess file to filter out XML files. In the htaccess.txt file shipped with version 1.5.15, lines 35-39 contain example code that will deny access to XML files. You can incorporate this code (or similar code) into your .htaccess file. Be sure to test that it does not cause problems on your site.

Reported by WHK and Gergő Erdősi

Contact

The JSST at the Joomla! Security Center.

Last Updated on Thursday, 05 November 2009 01:46