0
Welcome Guest! Login
0 items Join Now

securityleaks?

  • securityleaks?

    Posted 10 years 8 months ago
    • My hostingprovider found leaks in the gantry map system. can you tell me what to do?
      i have the newest installation of Gantry 4.1.20 and Joomla 2.5.18

      [Joomla] Clickjacking-kwetsbaarheden XSS /plugins/system/gantry/overrides/3.0/2.5/com_users/reset/complete.php
      [Joomla] Clickjacking-kwetsbaarheden XSS /plugins/system/gantry/overrides/3.0/2.5/com_users/login/default_login.php
      [Joomla] Clickjacking-kwetsbaarheden XSS /plugins/system/gantry/overrides/3.0/2.5/com_users/registration/default.php
      [Joomla] Highlight-plugin vatbaar voor code-injectie Code-injectie /plugins/system/gantry/overrides/3.0/2.5/com_finder/search/default_result.php
      [Joomla] XSS in taalkeuzemodule XSS /plugins/system/gantry/overrides/3.0/2.5/mod_languages/default.php
    • Andy Miller's Avatar
    • Andy Miller
    • Preeminent Rocketeer
    • Posts: 9919
    • Thanks: 96
    • Web Kahuna

    Re: securityleaks?

    Posted 10 years 8 months ago
    • hmm.. not sure exactly what this is about, but we'll look into it and get back to you, thanks!
  • Re: securityleaks?

    Posted 10 years 8 months ago
    • any news?

      there was an update yesterday but i don't think this was solved yet or is it now solved?
    • Andy Miller's Avatar
    • Andy Miller
    • Preeminent Rocketeer
    • Posts: 9919
    • Thanks: 96
    • Web Kahuna

    Re: securityleaks?

    Posted 10 years 8 months ago
    • Suzanne, we've looked into this and we've compared our overrides to the joomla ones and they are basically identical. We don't see anything that could be a security issue at all. BTW, in your paste above you have referenced gantry overrides that we use when running Joomla 3.0, that basically fall back to the same output as we use in our 2.5 templates (for compatibility). These files are not even used by your Joomla 2.5.18 install.

      My hunch is that this security script that is reporting this is just scanning files and finding our overrides and doesn't really know what to do with them. I am confident this is not a security issue, but more of a false alarm type situation.
    • The following users have thanked you: suzanne roelse

  • Re: securityleaks?

    Posted 10 years 8 months ago
    • Oke thanks! i will pas it on to my hosting.

      why are there files in the installation when they are not even used by my Joomla?
      And can i delete them or will they come back every update i make?
    • Joe Halleck's Avatar
    • Joe Halleck
    • Preeminent Rocketeer
    • Posts: 5480
    • Thanks: 67
    • Never give up!

    Re: securityleaks?

    Posted 10 years 8 months ago
    • Ask your hosting provider what tool they are using to scan.
    • Magento - phpBB3 - Kunena - RokBridge Specialist
      No Secure Tab posts unless requested.
      Use the Thank You and Life Preserver Buttons!
      Your signature is also great place for setup details...help us help you!
  • Re: securityleaks?

    Posted 10 years 8 months ago
    • There is a tab 'Patchman' in my DirectAdmin
  • Re: securityleaks?

    Posted 10 years 8 months ago
    • Stephen Cassidy's Avatar
    • Stephen Cassidy
    • Sr. Rocketeer
    • Posts: 213
    • Thanks: 13
    • Webmaster - ICT Manager

    Re: securityleaks?

    Posted 10 years 8 months ago
    • Hi All,

      For the first time I have also received two messages from my hosting provider with the very same information. I am located in The Netherlands using hosting www.antagonist.nl . They say its [Joomla] Clickjacking-vunarability XSS in plugin system gantry overrides com_users, default login, in users login, default registration and users registration, and in com_finder search. I have been using this hosting for 14 years now and they have only sent me one message before this one. They have given me 14 days to fix the issue.
      I'll look around later a bit more into it. Taking a break now been working all day ;)

      Stephen
    • The more I practice, the luckier I get...
    • Andy Miller's Avatar
    • Andy Miller
    • Preeminent Rocketeer
    • Posts: 9919
    • Thanks: 96
    • Web Kahuna

    Re: securityleaks?

    Posted 10 years 8 months ago
    • Is there a specific security script you are running to get these reports? It would be great if we could run them ourselves to better help identify what is triggering these notices. Our overrides are based on ones that are much later than 2.5.8 so really am not sure why this script is thinking there is a vulnerability from <= 2.5.8. Thanks.

Time to create page: 0.063 seconds