Lightquick Web Design - High Quality, Low Cost

I have been advised by the hosting company of a vulnerability in an extension we had been using on one of our sites which allows information to be obtained which could be used in a future attack on the site. The extension is the Simple Page Options Module for Joomla 1.5 which allows you to add a variety of extra functions via a very simple front end interface, what does this module do? It does the following things:

It enhances Site Title.
Replaces the Default Joomla! Generator.
Forces Compatibility View for IE8 Users.
Adds a contact and referral form.
Adds twelve social bookmarking icons.
Adds a note to users of the obsolete browser IE6.
Allows you turn off right clicking.

This is useful functionality that I don't want to lose especially when it is wrapped in such a pretty and compact package. The problem is that hackers have found that the email forms do not fully sanitise their input and on a system that is not protected by su_php it could allow some commands to be run to divulge information about the server. It is possible that it could also allow injected code to be run.

I have been in touch with the developer and I have fixed the vulnerability with his help. He has now fixed the vulnerability world wide as 10,000+ sites also use it. The vulnerability was discovered by us when someone tried to exploit the vulnerability to insert some nasty code on one of our systems. They failed of course as the system is far too secure for that to happen. Just letting you know!

The JED had already had someone flag the problem and had marked the module as being insecure...

With the new version of simple page options (SPO 1.5.17) you can now safely upgrade the module on your Joomla 1.5 site. It is available here.

Comments (0)

Subscribe to this comment's feed

Name

Email

Title

Comment

smaller | bigger

Subscribe via email (registered users only)

I have read and agree to the Terms of Usage.

Add Comment