Hi, just by chance we found out, that somebody made it to upload zip-files to our server via jdownloads in the jdownloads categroy folder, and by a simple google query we can see that we are not alone.
On May 09 and May 11, somebody naming himself "fullmagic" uploaded two zip-archives (161 byte each) to a category as an unpublished download. The short description is filled out with "mari makan", the download title is "rfdhng".
A Google search for "jdownloads rfdhng mari makan" shows a few pages with the same download on them so you can see examples. Seems to be a really new thing, all results in the last week, there's no other discussion about it.
We are sure that's a security bug. How could that be possible?
- Joomla! 3.3.3
- jDownloads 184.108.40.206 Beta (we know there are updates but we don't know if this bug is fixed there)
We're updating now, this post here is just to inform you and perhaps to get some information back.