Vulnerability report WLB-2016070102 12/07/2016
On July 13th, a website reported what they allege is a vulnerability in Jomres.
Within hours the Jomres team had investigated and confirmed that this alleged vulnerability does not affect Jomres Core or it's plugins. The attack seems to target a customised script that has never been distributed by us and it's severity is, therefore, limited to a small number of, or even just one, website.
The report can be found here : https://cxsecurity.com/issue/WLB-2016070102
What the report describes is an SQL injection vulnerability which, as you can see here, calls a task named "ajax_comentarii":
The apostrophe in the property uid variable is an SQL injection vulnerability which would allow an attacker to use the "ajax_comentarii" task to gain access to a server's mysql database through data manipulation.
Jomres is an Open Source system, freely available to download and install. "ajax_comentarii" is not a feature of Jomres or any known Jomres plugins. The word "comentarii" means "comments" in Romanian, and we suspect that this is a one-off customisation, probably written by an inexperienced developer, to add a comment system to Jomres.
To be clear, this vulnerability only applies to Jomres sites that have this specific customisation. As this script has never been distributed by us, and as we can find no previous mention of it online, we believe that this vulnerability is limited to a small number of sites.
We have run thorough tests to confirm that the vulnerability cannot be duplicated in a core installation of Jomres, so our users can rest assured that at the time of writing there is no known vulnerability in Jomres itself. As a business product, security is our highest priority and we endevour to ensure that all the code we release is properly secured. Any customer seeking to make customised modifications to Jomres should use experienced developers who follow current best practices.
- Created on .