Joomla! Multiple NoNumber Extensions Local File Inclusion and PHP Code Execution

SECUNIA ADVISORY ID:
SA46459

VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46459/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46459

RELEASE DATE:
2011-10-22
DESCRIPTION:
Two vulnerabilities have been reported in multiple NoNumber
extensions for Joomla!, which can be exploited by malicious people to
disclose sensitive information and compromise a vulnerable system.

1) Input passed via the "file" parameter to index.php (when "nn_qp"
is set) is not properly verified before being used to include files.
This can be exploited to include arbitrary files from local resources
via directory traversal sequences and URL-encoded NULL bytes.

2) Input passed via the "url_options[]" POST parameter to index.php
(when "nn_qp" and "url" are set) is not properly sanitised before
being passed to the "curl_setopt_array()" function. This can be
exploited to create cookie files with arbitrary PHP content in the
webroot.

The vulnerabilities are reported in the following extensions and
versions:
* Add to Menu, versions prior to 1.8.1.
* AdminBar Docker, versions prior to 1.6.1.
* Advanced Module Manager, versions prior to 2.2.3.
* Articles Anywhere, versions prior to 1.13.1.
* Better Preview, versions prior to 1.10.1.
* Cache Cleaner, versions prior to 1.11.1.
* CDN, versions prior to 1.6.1.
* Content Templater, versions prior to 1.14.1.
* CustoMenu, versions prior to 2.8.1.
* DB Replacer, versions prior to 1.3.2.
* Modalizer, versions prior to 3.6.1.
* Modules Anywhere, versions prior to 1.13.1.
* NoNumber! Extension Manager, versions prior to 2.6.2.
* ReReplacer, versions prior to 2.17.2.
* Slider, versions prior to 1.7.1.
* Snippets, versions prior to 1.2.1.
* Sourcerer, versions prior to 2.11.1.
* Tabber, versions prior to 1.7.1.
* Timed Styles, versions prior to 1.4.1.
* Tooltips, versions prior to 1.1.1.
* What? Nothing!, versions prior to 6.2.1.

SOLUTION:
Update to the respective latest version.

PROVIDED AND/OR DISCOVERED BY:
jdc

ORIGINAL ADVISORY:
NoNumber:
http://feeds.feedburner.com/nonumber/news

Joomla!:
http://docs.joomla.org/Vulnerable_Extensions_List#NoNumber_Framework