VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 27, 2011· Updated Apr 29, 2026

CVE-2011-2891

CVE-2011-2891

Description

Joomla! 1.6.0 through 1.6.1 discloses the server filesystem path in an error message when an empty Itemid array parameter is passed to index.php.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Joomla! 1.6.0 through 1.6.1 discloses the server filesystem path in an error message when an empty Itemid array parameter is passed to index.php.

Vulnerability

Joomla! versions 1.6.0 through 1.6.1 are affected by a path disclosure vulnerability. By sending a request to index.php with an empty Itemid array parameter (e.g., Itemid[]=), the application triggers a PHP error that reveals the absolute filesystem path of the web root in the error message [1][2][3]. This is a different vulnerability from CVE-2011-2488 [2].

Exploitation

An attacker can exploit this vulnerability remotely without any authentication. The attacker simply sends an HTTP request to index.php with an empty Itemid array, such as index.php?Itemid[]=. The resulting error message will include the installation path [1][2][3]. The attack requires no special network position beyond being able to reach the Joomla! instance [2].

Impact

Successful exploitation results in information disclosure of the server's filesystem path [1][2][3]. While this is considered a low-severity issue, it provides attackers with knowledge that can aid in further attacks, such as identifying file locations for path traversal or local file inclusion attempts [2].

Mitigation

The vulnerability is fixed in Joomla! version 1.6.2 [1][2]. Users running Joomla! 1.6.x should upgrade to 1.6.2 or later. As of publication, no workaround is documented in the available references [1][2][3][4].

References
  1. security - Re: CVE request: Joomla unspecified information disclosure vulnerability
  2. Joomla! 1.6.1 and lower | Information Disclosure & ClickJacking vulnerabilities
  3. security - Re: CVE request: Joomla unspecified information disclosure vulnerability
  4. News

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

21
  • Joomla/Joomla!21 versions
    cpe:2.3:a:joomla:joomla\!:1.6.0:*:*:*:*:*:*:*+ 20 more
    • cpe:2.3:a:joomla:joomla\!:1.6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.6:alpha:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.6:alpha2:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.6:beta1:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.6:beta10:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.6:beta11:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.6:beta12:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.6:beta13:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.6:beta14:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.6:beta15:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.6:beta2:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.6:beta3:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.6:beta4:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.6:beta5:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.6:beta6:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.6:beta7:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.6:beta8:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.6:beta9:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.6:rc1:*:*:*:*:*:*
    • (no CPE)range: <1.6.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input validation on the `Itemid` parameter allows an empty array value to trigger a PHP error that exposes the installation path."

Attack vector

An attacker sends an HTTP request to `index.php` with an empty `Itemid` array parameter (e.g., `Itemid[]=`). The application fails to handle this malformed input gracefully and produces a PHP error message that includes the full server filesystem path. This path disclosure reveals the installation directory of Joomla! to the attacker [CWE-200] [ref_id=1]. No authentication or special privileges are required; the request can be made by any remote, unauthenticated user.

Affected code

The vulnerability is triggered through the `index.php` entry point of Joomla! 1.6.x before 1.6.2. The advisory does not specify a particular function or file path beyond the front controller, but the error is generated when an empty `Itemid` array parameter is passed to `index.php` [ref_id=1].

What the fix does

The bundle does not include a patch diff. The advisory [ref_id=1] identifies Joomla! 1.6.2 as the fixed version, implying that the vendor addressed the issue by improving error handling so that malformed `Itemid` parameters no longer cause the installation path to be leaked in error messages. Without the patch, the exact remediation mechanism (e.g., input validation or suppression of error output) is not visible.

Preconditions

  • networkThe attacker must be able to send HTTP requests to the Joomla! index.php endpoint.
  • authNo authentication or prior access is required.
  • configThe vulnerable version must be Joomla! 1.6.x prior to 1.6.2.
  • inputThe attacker supplies an empty Itemid array parameter (e.g., Itemid[]=) in the request.

Reproduction

Send a request to the Joomla! index.php with an empty `Itemid` array parameter. For example: `http://target/joomla/index.php?Itemid[]=`. The server will respond with an error message that reveals the full installation path of Joomla! on the filesystem [ref_id=1].

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.