| VID |
210031 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Joomla! program is vulnerable to a local file include vulnerability in the JCE Admin component. Joomla! is an open-source contents management system written in PHP. JCE Admin component for Joomla are vulnerable to a local file include vulnerability, caused by improper validation of user-supplied input passed to the 'plugin' and 'file' parameters of the 'components/com_jce/jce.php' script. Regardless of PHP's 'register_globals' setting, an unauthenticated remote attacker could exploit this vulnerability to view arbitrary files or to execute arbitrary PHP code on the affected system. In addition, the component is also reportedly affected by multiple cross-site scripting vulnerabilities involving other parameters to the same script.
* References:
http://www.frsirt.com/english/advisories/2006/4903
http://secunia.com/advisories/23160/
* Platforms Affected:
JCE Admin component for Joomla! 1.0.4 SP 2006-08-21
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of JCE Admin (1.1.0 beta2 or later), available from the JCE - Joomla Content Editor Web site at http://www.cellardoor.za.net/index.php?option=com_docman&task=cat_view&gid=1&Itemid=6 |
| Related URL |
CVE-2006-6419,CVE-2006-6420,CVE-2006-6166 (CVE) |
| Related URL |
21491,21496 (SecurityFocus) |
| Related URL |
30798,30799,30802 (ISS) |
|
