Joomla! Phoca Favicon Component Insecure Directory Permissions Weakness

SA48806

17 Apr 2012

19 Apr 2012

Not Critical

Vendor Patch

Phoca Favicon 2.x (Joomla! component)

Local system

Manipulation of data

This includes vulnerabilities where a user or a remote attacker can manipulate local data on a system, but not necessarily be able to gain escalated privileges or system access.

The most frequent type of vulnerabilities with this impact are SQL-injection vulnerabilities, where a malicious user or person can manipulate SQL queries.

Privilege escalation

This covers vulnerabilities where a user is able to conduct certain tasks with the privileges of other users or administrative users.

This typically includes cases where a local user on a client or server system can gain access to the administrator or root account thus taking full control of the system.

Security Bypass

This covers vulnerabilities or security issues where malicious users or people can bypass certain security mechanisms of the application.

The actual impact varies significantly depending on the design and purpose of the affected application.

A weakness has been reported in the Phoca Favicon component for Joomla!, which can be exploited by malicious, local users to manipulate certain data and potentially gain escalated privileges.

The weakness is caused due to the component setting insecure permissions (777) for the "images/phocafavicon" folder. This can be exploited to e.g. modify, create, or delete files contained in the folder.

The weakness is reported in version 2.0.2. Prior versions may also be affected.

Update to version 2.0.3.

Reported by the Joomla! VEL team.

Joomla:
http://docs.joomla.org/Vulnerable_Extensions_List#Phoca_Fav_Icon

Phoca Favicon:
http://www.phoca.cz/news/30-phoca-news/633-phoca-favicon-203-released