Joomla! 1.5 plugin vulnerability

apps

#1

i have a joomla! site and just discoverd a vulnerability. however it is NOT with joomla itself and i am a n00b. the question is, how much information should i post about this? i want people to be aware but i allso dont want to give hackers/crackers a chance. this involves joomla. a forum, and an authintication brige.

i have all ready posted the information on the joomla forums so i guess it dosent really matter. but, should i inform support of this issue? or should i just go ahead and post what i know?


#2

Well, first of all. if the vulnerability is not with Joomla! itself, then your title is highly misleading and can cause a lot of people unnecessary concern, so I suggest you change that if you don’t want to mislead people.

If you believe you have found a vulnerability, you should always report your findings to the dev team of the involved project. If the problem is the result of the component, or the “bridge”, report your findings to the component or the bridge developer.

Generally, I tend to agree with the position that the Joomla! dev team has recently taken.

You might also consider that if you are, truly, a n00b, then you might want to have your findings vetted by these developers as they are far more likely to be qualified to determine if a vulnerability really exists or if you just have an insecure implementation or installation.

–rlparker
–DreamHost Tech Support


#3

im positive the setup is secure and the problem must lie with the bridge. ill attempt to contact that dev. sorry if i was irresponsible.

and im positive a vulnerability exists. i wont post details.


#4

I think contracting the dev for the bridge is, indeed, the way to go . No apology is necessary at all - it is not irresponsible to post the way you did, and I think you are making the right decision to not publicly post the details of the problem until you have a fix. :slight_smile:

Your post title change is a good one too, as it more accurately describes your post.

–rlparker
–DreamHost Tech Support


#5

problem solved!

it was indeed the bridge, updated to rokbridge-RC5b3 and it fixed it, if anyone reading this is using rockbridge authintication bridge for joomla/phpbb3 i URGE you to update.

thanks for y’alls time and help