Vulnerable - jNews Component - Joomla! Forum - community, help and support
sorry if wrong forum.
my site has been taken offline today unknown attack.
my hosting provider has suggested attack performed using com_jnews , it's openflashchart com. have report multiple attacks on various sites using same attack vector.
i believe mine via "demo" site linked via linkedin occur shortly after visit (and low traffic site @ time of day).
i of course notifying authour of com, feel should bring attention, s can take appropriate measures
apologies again if wrong forum (please let me know correct place)
my site has been taken offline today unknown attack.
my hosting provider has suggested attack performed using com_jnews , it's openflashchart com. have report multiple attacks on various sites using same attack vector.
i believe mine via "demo" site linked via linkedin occur shortly after visit (and low traffic site @ time of day).
i of course notifying authour of com, feel should bring attention, s can take appropriate measures
apologies again if wrong forum (please let me know correct place)
it correct place.
information on reporting issue may removed joomla extension download (jed) site located here:
http://docs.joomla.org/vulnerable_exten ... and_report.
here need know fix site:
if installed version of jnews less 7.9.x need update. if have been affected insecurity (which host says have) need follow "before post" information viewtopic.php?f=621&t=582854 , clean site. restoring site host backup or own backup not clean site.
current download listed on jed 7.7.1 (last update on sep 25, 2012) vulnerable since download link takes joobi website, linked latest version. however, sure check , extension in jed may delisted shortly pending outcome of investigation.
the following developers website copying here more people may know vulnerability:
the issue appears use of openflashchart library.
information on reporting issue may removed joomla extension download (jed) site located here:
http://docs.joomla.org/vulnerable_exten ... and_report.
here need know fix site:
if installed version of jnews less 7.9.x need update. if have been affected insecurity (which host says have) need follow "before post" information viewtopic.php?f=621&t=582854 , clean site. restoring site host backup or own backup not clean site.
current download listed on jed 7.7.1 (last update on sep 25, 2012) vulnerable since download link takes joobi website, linked latest version. however, sure check , extension in jed may delisted shortly pending outcome of investigation.
the following developers website copying here more people may know vulnerability:
security release: update jnews 7.9.x
jnews using open source library called open flash chart display graphical statistics. yesterday indentified critical code execution vulnerabilities within open flash chart file "ofc_upload_image.php".
all jnews users using version jnews 7.7.x , below affected vulnerability.
we've released new version jnews 7.9.x address problem , highly recommend update.
two options remove vulnerability:
by updating latest released version of jnews 7.9.x, see instruction below.
by removing file server through ftp:
remove following file server:
components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php
the issue appears use of openflashchart library.
Comments
Post a Comment