17 Apr 2012
19 Apr 2012
Phoca Favicon 2.x (Joomla! component)
Manipulation of data
This includes vulnerabilities where a user or a remote attacker can manipulate local data on a system, but not necessarily be able to gain escalated privileges or system access.
The most frequent type of vulnerabilities with this impact are SQL-injection vulnerabilities, where a malicious user or person can manipulate SQL queries.
This covers vulnerabilities where a user is able to conduct certain tasks with the privileges of other users or administrative users.
This typically includes cases where a local user on a client or server system can gain access to the administrator or root account thus taking full control of the system.
This covers vulnerabilities or security issues where malicious users or people can bypass certain security mechanisms of the application.
The actual impact varies significantly depending on the design and purpose of the affected application.
A weakness has been reported in the Phoca Favicon component for Joomla!, which can be exploited by malicious, local users to manipulate certain data and potentially gain escalated privileges.
The weakness is caused due to the component setting insecure permissions (777) for the "images/phocafavicon" folder. This can be exploited to e.g. modify, create, or delete files contained in the folder.
The weakness is reported in version 2.0.2. Prior versions may also be affected.
Update to version 2.0.3.
Reported by the Joomla! VEL team.