Joomla Third-Party Modules Multiple Vulnerabilities


Description   Several vulnerabilities have been identified in third-party modules for Joomla:
- CVE-2015-4071: information disclosure in the Helpdesk Pro plugin allows a remote attacker to read other users' support tickets
- CVE-2015-4072: several cross-site scripting in the Helpdesk Pro plugin
- CVE-2015-4073: three SQL injections through the 'filter_order', 'ticket_code' and 'email' parameters in the Helpdesk Pro plugin
- CVE-2015-4074: local file disclosure in the Helpdesk Pro plugin
- CVE-2015-4075: file upload in the Helpdesk Pro plugin
- full path disclosure in the 'com_docman' component
- local file disclosure and inclusion through the 'file' parameter in the 'com_docman' component.
Proofs of concept are available.
     
Vulnerable Products   Vulnerable Software:
Joomla (OSM Development Team)
     
Solution   Version 1.4.0 of HelpDesk Pro fixes the CVE-2015-4071, CVE-2015-4072, CVE-2015-4073, CVE-2015-4074 and CVE-2015-4075 vulnerabilities.
     
CVE   CVE-2015-4075
CVE-2015-4074
CVE-2015-4073
CVE-2015-4072
CVE-2015-4071
     
References   - Outpost24 : Outpost24 has found critical vulnerabilities in Joomla Helpdesk Pro!
https://www.outpost24.com/outpost24-has-found-critical-vulnerabilities-in-joomla-helpdesk-pro/
exploit-db : Joomla DOCman Component
Multiple Vulnerabilities
https://www.exploit-db.com/exploits/37620/
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
Misc : Directory traversal - parameter starting with ../
3.2.0
SQL injection Prevention - GET : suspicious OR statement in URL
3.2.0
SQL injection Prevention - GET : suspicious combination of 'OR' or 'AND' statements in URL
3.2.0
SQL injection Prevention - GET : suspicious CREATE statement in URL
3.2.0
SQL injection Prevention - GET : suspicious CAST statement in URL
3.2.0
SQL injection Prevention - GET : suspicious OPENROWSET statement in URL
3.2.0
SQL injection Prevention - GET : suspicious DECLARE statement in URL
3.2.0
Directory traversal using ..\..
3.2.0
SQL injection Prevention - GET : suspicious OPENQUERY statement in URL
3.2.0
SQL injection Prevention - GET : suspicious shutdown statement in URL
3.2.0
Directory traversal
3.2.0
SQL injection Prevention - GET : suspicious UNION SELECT statement in URL
3.2.0
SQL injection Prevention - GET : possible database version probing
3.2.0
SQL injection Prevention - GET : suspicious UPDATE SET statement in URL
3.2.0
SQL injection Prevention - GET : suspicious SELECT statement in URL
3.2.0
SQL injection Prevention - GET : suspicious INSERT statement in URL
3.2.0
SQL injection Prevention - GET : suspicious DROP statement in URL
3.2.0
SQL injection Prevention - GET : suspicious EXEC statement in URL
3.2.0
SQL injection Prevention - GET : block comment delimiters in URL
3.2.0
Directory traversal backward root folder
3.2.0
Misc : Local File Inclusion - suspicious /etc/passwd found in URL
3.5.0
SQL injection Prevention - GET : suspicious SQL statement in header
4.0.0
SQL injection Prevention - GET : Authentication bypass attempt with OR statement
5.0.0
     


 
 
 
 
 Risk level 
Moderate 

 Vulnerability First Public Report Date 
2015-07-21 

 Target Type 
Server 

 Possible exploit 
Remote