SECUNIA ADVISORY ID: SA45324 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45324/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45324 RELEASE DATE: 2011-07-27
DESCRIPTION: Don Tukulesto has reported a vulnerability in the Appointment Booking Pro component for Joomla!, which can be exploited by malicious people to disclose sensitive information. Input passed via the "view" parameter to index.php (when "option" is set to "com_rsappt_pro2") is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal attacks and URL-encoded NULL bytes. SOLUTION: The vulnerability is fixed in version 2.0.1 RC3. PROVIDED AND/OR DISCOVERED BY: Don Tukulesto ORIGINAL ADVISORY: Appointment Booking Pro: http://appointmentbookingpro.com/index.php?option=com_kunena&Itemid=66&func=view&catid=25&id=8129#8129 Don Tukulesto: http://blog.indonesiancoder.com/appointment-booking-pro-joomla-component-vulnerable
