Blog


Vulnerability report WLB-2016070102 12/07/2016

On July 13th, a website reported what they allege is a vulnerability in Jomres.

Within hours the Jomres team had investigated and confirmed that this alleged vulnerability does not affect Jomres Core or it's plugins. The attack seems to target a customised script that has never been distributed by us and it's severity is, therefore, limited to a small number of, or even just one, website.

The report can be found here : https://cxsecurity.com/issue/WLB-2016070102

What the report describes is an SQL injection vulnerability which, as you can see here, calls a task named "ajax_comentarii":

index.php?option=com_jomres&Itemid=103&task=ajax_comentarii&Itemid=103&property_uid=82'

The apostrophe in the property uid variable is an SQL injection vulnerability which would allow an attacker to use the "ajax_comentarii" task to gain access to a server's mysql database through data manipulation.

Jomres is an Open Source system, freely available to download and install. "ajax_comentarii" is not a feature of Jomres or any known Jomres plugins. The word "comentarii" means "comments" in Romanian, and we suspect that this is a one-off customisation, probably written by an inexperienced developer, to add a comment system to Jomres.

To be clear, this vulnerability only applies to Jomres sites that have this specific customisation. As this script has never been distributed by us, and as we can find no previous mention of it online, we believe that this vulnerability is limited to a small number of sites.

We have run thorough tests to confirm that the vulnerability cannot be duplicated in a core installation of Jomres, so our users can rest assured that at the time of writing there is no known vulnerability in Jomres itself. As a business product, security is our highest priority and we endevour to ensure that all the code we release is properly secured. Any customer seeking to make customised modifications to Jomres should use experienced developers who follow current best practices.

 

  • Created on .

ABOUT US

vince picDeveloped and maintained by Vince Wooll, Jomres was initially conceived in early 2005 as a Mambo based solution to a client’s hotel management needs. While it wasn't originally expected to be an online booking system it quickly morphed into one as users requested more and more features.

As the number of feature requests grew Vince knew that he would need to dedicate more time to the project and in July 2005 Jomres was formally released as a commercial project. Since then, Jomres has become one of Mambo’s, and now Joomla’s, longest running projects. It has survived various versions of Mambo, then Joomla 1.0, 1.5, 1.6, 1.7, 2.5 and 3.

Aladar joined the project in 2010 after using Jomres for his own projects. He was active on the forum, helping other members of the community and eventually Vince invited him to join the team. Between 2010 and 2018 he was an integral part of the project and made many significant contributions.

Whilst not formally part of the Jomres project, Rodrigo Rocco and Vince have become firm friends. Rod is a freelancer who specialises in doing custom work for Jomres users and developing custom plugins for the system that take advantage of it's modular design. He has built many useful extensions including his fabulous Valentina Template Override Package.

Jomres and the Jomres Logo is trademarked and can't be used without written consent from the owner.

www.jomres.net is not affiliated with or endorsed by the Joomla! Project, Open Source Matters or the WordPress project. The Joomla! & WordPress names and logos are used under a limited license granted by Open Source Matters and the WordPress Projects.

© Copyright 2005 - 2018 Woollyinwales IT.