Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:28063
HistoryMay 10, 2012 - 12:00 a.m.

[waraxe-2012-SA#087] - Reflected XSS in Joomla 1.5.26 "ja_purity" template

2012-05-1000:00:00
vulners.com
31
JSON

[waraxe-2012-SA#087] - Reflected XSS in Joomla 1.5.26 "ja_purity" template

Author: Janek Vind "waraxe"
Date: 03. May 2012
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-87.html
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2413

Description of vulnerable software:


Joomla is one of the world's most popular open source CMS (content management
system). With millions of websites running on Joomla, the software is used by
individuals, small & medium-sized businesses, and large organizations worldwide
to easily create & build a variety of websites & web-enabled applications. 


Vulnerable versions

Affected is Joomla version 1.5.26, older versions may be vulnerable as well.

###############################################################################

  1. Reflected XSS in Joomla 1.5.26 "ja_purity" template
    ###############################################################################

CVE Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2012-2413 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

Vulnerability Details:

Reason: outputting html data without proper encoding
Attack vector: user-provided cookie parameter
Preconditions:
1. "ja_purity" template must be in use
Result: XSS attack possibilities

Source code snippet from "templates/ja_purity/html/modules.php":
-----------------[ source code start ]---------------------------------
function modChrome_jarounded($module, &$params, &$attribs)
{
?>
<div class="jamod module<?php echo $params->get('moduleclass_sfx'); ?>" id="Mod<?php echo $module->id; ?>">
<div>
<div>
<div>
<?php if ($module->showtitle != 0) : ?>
<?php
if(isset($_COOKIE['Mod'.$module->id])) $modhide = $_COOKIE['Mod'.$module->id];
else $modhide = 'show';
?>
<h3 class="<?php echo $modhide; ?>"><span><?php echo $module->title; ?></span></h3>
-----------------[ source code end ]-----------------------------------

As seen above, user-provided cookie parameter is used for outputting html.
No data sanitization, which indicates Reflected XSS vulnerability issue.

Disclosure Timeline:


20.04.2012 Developers contacted via email, no response
24.04.2012 CVE identifier request
25.04.2012 Got CVE identifier
26.04.2012 Second attempt contacting developers via email, no response
03.05.2012 Advisory published


Contact:

[email protected]
Janek Vind "waraxe"

Waraxe forum: http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
Random project: http://albumnow.com/
---------------------------------- [ EOF ] ------------------------------------

Related

cve 1
packetstorm 1
prion 1
securityvulns 1
cve
cve
CVE-2012-2413
2014-10-20 14:55:00
packetstorm
packetstorm
Joomla 1.5.26 ja_purity Cross Site Scripting
2012-05-03 00:00:00
prion
prion
Cross site scripting
2014-10-20 14:55:00
securityvulns
securityvulns
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2012-05-10 00:00:00
JSON
Related for SECURITYVULNS:DOC:28063
cve1packetstorm1prion1securityvulns1