The Vel team have once again been made aware of a large list of extension exploits posted by one user on a exploit reporting site. We contacted several of the developers for their comments as well as our team checking these reports,
Some of the developers contacted us to confirm the reports were fake or "greetz spam".

Here are some clues that made us suspicious.

a lot of the extensions reported dont exist anymore. Acajoom 5.1.5 SQL-Injection, the extension was replaced by the developer with a new newsletter extension for Joomla called "jNews" in January 2010 .
Others have # Database Disclosure Exploit :
**************************

/administrator/components/com_xxxx/install.xxxx.sql

/administrator/components/com_xxxx/uninstall.xxxx.sql
which we know is not an exploit of info disclosure.

using a payload such as
"null'+and+1=2+union+select+1,concat(username,0x3a,password)KingSkrupellos,3,4,5,6,7,8,9,10,11,12,13,14+from+jos_users/" when jos_users doesnt exist anymore file references such as # Old Similar CVE [ Only Version is Different ] : CVE-2009-2395 means the whole exploit is a copy and paste. quoting a warez site as the download point,,, # Software Information Links : jer.org/extensions/ext-sobi2 extensions.joomla.org/extension/sobipro/


 We can also see that alot of the reports are reposted old reports with version numbers updated, and POC sites tested were old versions of joomla running old versions of the scripts. Possibly not updated since the original released

We ask any user or developer to #tellvel via our contact forms and practice responsible disclosure. A twitter discussion on this https://twitter.com/JoomlaVel/status/1093121111389364224

Related https://vel.joomla.org/articles/1949-recent-exploit-report-flood

Pin It