Security Advisory SA39836 - Joomla JE Ajax Event Calendar Component Multiple Vulnerabilities

Secunia

Blog

Secunia Advisory SA39836

Joomla JE Ajax Event Calendar Component Multiple Vulnerabilities

Secunia Advisory

SA39836

Release Date

2010-05-17

Last Update

2010-12-17

Popularity

4,262 views

Comments

2 comments

Criticality level

Moderately critical

Impact

Manipulation of data
Exposure of system information
Exposure of sensitive information

Where

From remote

Authentication level

This information is available to Secunia VIM customers

Report reliability

This information is available to Secunia VIM customers

Solution Status

Vendor Patch

Systems affected

This information is available to Secunia VIM customers

Approve distribution

This information is available to Secunia VIM customers

Software:

JE Ajax Event Calendar 1.x (component for Joomla)

Secunia CVSS Score

This information is available to Secunia VIM Customers

CVE Reference(s)

CVE-2010-2129 CVSS score available to Secunia VIM customers
CVE-2010-4365 CVSS score available to Secunia VIM customers

Description

Multiple vulnerabilities have been reported in the JE Ajax Event Calendar component for Joomla, which can be exploited by malicious people to disclose potentially sensitive information and conduct SQL injection attacks.

1) Input passed to the "view" parameter in index.php (when "option" is set to "com_jeajaxeventcalendar") is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal attacks and URL-encoded NULL bytes.

This vulnerability is reported in version 1.0.1. Other versions may also be affected.

2) Input passed to the "event_id" parameter in index.php (when "option" is set to "com_jeajaxeventcalendar" and "view" is set to "alleventlist_more") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution
Update to the latest version.

Provided and/or discovered by
1) Valentin Hoebel
2) altbta

Changelog
Further details available to Secunia VIM customers

Original Advisory
Valentin Hoebel:
http://www.xenuser.org/2010/05/14/joomla-component-je-ajax-event-calendar-local-file-inclusion-vulnerability/

Deep Links
Links available to Secunia VIM customers

Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: Joomla JE Ajax Event Calendar Component Multiple Vulnerabilities

User

Message

hardikmistry

RE: Joomla JE Ajax Event Calendar Component "view" File Inclusion Vulnerability

22nd Oct, 2010 07:25

Score: 0
Posts: 5
User Since: 23rd Jul 2010
System Score: N/A
Location: IN
Last edited on 22nd Oct, 2010 07:25

Hello,

Please check it new version there are no Vulnerability in that. We are remove that.

Regards,
Hardik mistry

Was this reply relevant?

-0

hardikmistry

RE: Joomla JE Ajax Event Calendar Component Multiple Vulnerabilities

8th Dec, 2010 12:25

Score: 0
Posts: 5
User Since: 23rd Jul 2010
System Score: N/A
Location: IN
Last edited on 8th Dec, 2010 12:25

Hello,

We are remove all Vulnerability in new version 1.3. Please test it that , if its remove than please remove that page.

Regards,
Hardik mistry

Was this reply relevant?

-0

Secunia Advisory SA39836

Joomla JE Ajax Event Calendar Component Multiple Vulnerabilities

Do you have additional information related to this advisory?

You must be logged in to post a comment.

Secunia Customer Login

Not a customer already?