Secunia

Multiple vulnerabilities and a weakness have been discovered in Joomla!, which can be exploited by malicious people to disclose certain system information, disclose potentially sensitive information, and compromise a vulnerable system.

1) A vulnerability exists due to the TinyMCE editor including the tiny browser plugin, which allows uploading files without authentication. This can be exploited to e.g. upload files with multiple extensions and execute arbitrary PHP code.

2) A weakness exists due to certain files missing checks for JEXEC, which can be exploited to disclose internal path information.

3) Input passed to the "tinybrowser_lang" cookie parameter in plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/config_tinybrowser.php is not properly sanitised before being used to include files in plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/folders.php. This can be exploited to include arbitrary files from local resources via directory traversal attacks and URL-encoded NULL bytes.

Successful exploitation requires that "magic_quotes_gpc" is disabled

The vulnerabilities and the weakness are confirmed in version 1.5.12. Prior versions may also be affected.

Solution
Update to version 1.5.13 or later.

Provided and/or discovered by
The vendor credits:
1) Patrice Lazareff
2) Juan Galiana Lara (Internet Security Auditors)

3) Nikola Petrov

Changelog
Further details available in Customer Area

Original Advisory
Joomla:
http://developer.joomla.org/security/news/301-20090722-core-file-upload.html
http://developer.joomla.org/security/news/302-20090722-core-missing-jexec-check.html

Nikola Petrov:
http://www.exploit-db.com/exploits/11263

Deep Links
Links available in Customer Area