[20180601] - Core - Local File Inclusion with PHP 5.3

Project: Joomla!
SubProject: CMS
Impact: Low
Severity: Low
Versions: 2.5.0 through 3.8.8
Exploit type: LFI
Reported Date: 2018-April-23
Fixed Date: 2018-June-26
CVE Number: CVE-2018-12712

Description

Our autoload code checks classnames to be valid, using the "class_exists" function in PHP. In PHP 5.3 this function validates invalid names as valid, which can result in a Local File Inclusion.

Affected Installs

Joomla! CMS versions 2.5.0 through 3.8.8

Solution

Upgrade to version 3.8.9

Contact

The JSST at the Joomla! Security Centre.

Reported By: Davide Tampellini