* Joomla! versions 1.5.12 and prior
* Joomla! version 1.5.13
Full path disclosure vulnerabilities enables an attacker to know the path to the web root. This information can be used in order to launch further attacks.
The attacker can get the full path of the instalation of Joomla! browsing to any of this urls:
The information obtained contais the full path to the files:
Parse error: syntax error, unexpected T_CLONE, expecting T_STRING in /var/www/joomla-1.5.12/libraries/joomla/utilities/compat/php50x.php
on line 100
Fatal error: Class 'JObject' not found in /var/www/joomla-1.5.12/libraries/joomla/client/ldap.php on line 21 Fatal error: Class 'JLoader' not found in /var/www/joomla-1.5.12/libraries/joomla/html/html/content.php
on line 15
July 21, 2009: Discovered by Internet Security Auditors.
July 21, 2009: Vendor contacted.
July 22, 2009: Joomla! publish update. Great job.
July 24, 2009: Advisory published.