I noticed an increasing amount of reports about a mysterious shell upload vulnerability in BreezingForms. Those reports are wrong and here's why.
Back in February 2016, I published an update for a medium level information disclosure vulnerability in BreezingForms. The problem was that people stuck with using the default upload folder, instead of defining custom ones. In combination with a webserver's indexes being allowed, you could potentially read the upload folder's contents. The issue has been reported to the VEL by me and I fixed it accordingly.
However, recently there has been a report at "0day.today" that there would be a shell upload vulnerability in BreezingForms. It quickly turned out that this was based on the above information disclosure issue.
After some investigation, it was clear that the original reporter not just used an old version, but enabled file uploads in BreezingForms on purpose to allow files with the extension ".php" and played it out like it would allow such uploads on a vanilla BreezingForms install. Additionally he claimed that this hasn't been fixed and would be available in all versions (wrong, of course).
A classic false report made for the sake of click-baiting as you can check out here.
That's not a problem, things like this happen but what is interesting is how this report populates through the web:
After the reporter published this on Youtube and "0day.today" (never contacted me by the way), other services such Packet Storm picked it up unfiltered and in the end, popular Joomla! security plugins using Packet Storm pass this through, leading to a lot of confusion.
So we currently have the situation that a false positive report posted at "0day.today" (itself a very questionable source) makes it into Packet Storm which in turn makes it into reports of popular native Joomla! security extensions.
However, I strongly advise Joomla! users to use more reliable Joomla! security solutions such as myjoomla.com or watchfu.li as they are tailored for the needs of Joomla!. Those services strictly follow best-practices such as contacting the developer first before releasing any details about a potential risk, creating up-to-date and proper security reports.
Alternatively, you can ask the developer of your security extension to get more reliable reports as "0day.today" or Packet Storm clearly depend on reports you cannot rely on.