=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2008/VULN345
_____________________________________________________________________

DATE                      : 11/09/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Joomla! versions prior
                                                           to 1.5.7.

======================================================================
http://feeds.joomla.org/JoomlaSecurityNews
http://developer.joomla.org/security/news/272-20080902-core-random-number-generation-flaw.html
http://developer.joomla.org/security/news/273-20080903-core-commailto-spam.html
http://developer.joomla.org/security/news/274-20080904-core-redirect-spam.html
http://developer.joomla.org/security/news/271-20080901-core-jrequest-variable-injection.html
______________________________________________________________________

[20080902] - Core - Random Number Generation Flaw
Posted: Tue, 09 Sep 2008 16:09:07 +0000

     * Project: Joomla!
     * SubProject: libraries
     * Severity: High
     * Versions: 1.5.6 and all previous 1.5 releases
     * Exploit type: Brute Force
     * Reported Date: 2008-August-23
     * Fixed Date: 2008-September-9


Description

A flaw with the random number generation exists which vastly reduces the 
entropy of system used random functions.  This impacts system generated
tokens and passwords.  The fix increases entropy, and greatly reduces
the chance of a generated token being guessed.


3PD Concerns

3PD extensions which use random number generation must properly seed the 
random numbers first (See JUserHelper::genRandomPassword() for more
information on how to seed).  To generate a random string, the following
  method is recommended: $password = JUtility::getHash(
JUserHelper::genRandomPassword() );.


Affected Installs

All 1.5.x installs prior to and including 1.5.6 are affected.


Solution

Upgrade to latest Joomla! version (1.5.7 or newer).


Reported By Stefan Esser


Contact

The JSST at the Joomla! Security Center.

_______________________________________________________________

[20080903] - Core - com_mailto Spam
Posted: Tue, 09 Sep 2008 16:09:07 +0000

     * Project: Joomla!
     * SubProject: com_mailto
     * Severity: Low
     * Versions: 1.5.6 and all previous 1.5 releases
     * Exploit type: Email Spam
     * Reported Date: 2008-August-29
     * Fixed Date: 2008-September-9


Description

The mailto component does not verify validity of the URL prior to
sending.


Affected Installs

All 1.5.x installs prior to and including 1.5.6 are affected.


Solution

Upgrade to latest Joomla! version (1.5.7 or newer).


Reported By Phil Taylor


Contact

The JSST at the Joomla! Security Center.
___________________________________________________________________

[20080904] - Core - Redirect Spam
Posted: Tue, 09 Sep 2008 16:09:07 +0000

     * Project: Joomla!
     * SubProject: Multiple
     * Severity: Low
     * Versions: 1.5.6 and all previous 1.5 releases
     * Exploit type: Redirect Spam
     * Reported Date: 2008-August-26
     * Fixed Date: 2008-September-9


Description

Several components utilize a passed in URL to redirect to after
processing.  These URLs are not validated prior to the redirect.  A
crafted URL can cause the system to redirect to a spam or phishing site.


3PD Concerns

3pd extensions should validate all redirects (where the URL cannot be
trusted) using the new JURI method isInternal($url).
JURI::isInternal($url) will return true if the passed in url is a url on
the same host as Joomla, or false if it is not.  JURI::isInternal($url)
was not available prior to 1.5.7.


Affected Installs

All 1.5.x installs prior to and including 1.5.6 are affected.


Solution

Upgrade to latest Joomla! version (1.5.7 or newer).


Reported By Emanuele Gentili


Contact

The JSST at the Joomla! Security Center.
______________________________________________________________________


[20080901] - Core - JRequest Variable Injection
Posted: Tue, 09 Sep 2008 16:00:24 +0000

     * Project: Joomla!
     * SubProject: libraries
     * Severity: Critical
     * Versions: 1.5.6 and all previous 1.5 releases
     * Exploit type: Variable Injection
     * Reported Date: 2008-September-7
     * Fixed Date: 2008-September-9


Description

A flaw in JRequest exists where variables set with JRequest::setVar are
not cleaned when fetching the variable at a later point in the request.
This can result in variable injection (unwanted characters injected
into returned data).


3PD Concerns

3PD extensions which use JRequest do not need to change anything for
proper function.


Affected Installs

All 1.5.x installs prior to and including 1.5.6 are affected.


Solution

Upgrade to latest Joomla! version (1.5.7 or newer).


Reported By

Joomla! Development Coordinator Andrew Eddie.


Contact

The JSST at the Joomla! Security Center.

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================