lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20071227192136.1920.qmail@securityfocus.com>
Date: 27 Dec 2007 19:21:36 -0000
From: zinho@...kerscenter.com
To: bugtraq@...urityfocus.com
Subject: [HSC Security Group] Multiple CSRF in Joomla all versions -
 Complete compromise

[HSC] Multiple CSRF in Joomla all versions - Complete compromise


Hackers Center Security Group (http://www.hackerscenter.com)
Credit: Armando Romeo aka Zinho


Class: CSRF
Remote: Yes
Risk: HIGH

Product: Joomla
Version: All (1.0.13 and 1.5 rc3 tested)
Vendor: http://www.joomla.com
Patch: Joomla 1.5 RC4 



"Joomla! is one of the most powerful Open Source Content Management Systems on the planet. It is used all over the world for everything 
from simple websites to complex corporate applications. Joomla! is easy to install, simple to manage, and reliable"



Joomla is vulnerable to CSRF attacks into all of its released versions including the RC3 of 1.5.


+] Affected areas 

-Users
The attack allows everyone (no privileges needed) to add a new Super Admin by just having a Super Admin visiting a url

-Extension installation
The attack allow everyone (no privileges needed) to upload an extension from a remote location, thus having malicious PHP scripts on server. 
Read PHP shell.

-Global configuration
The attack allows everyone (no privileges needed) to change all the aspects of the site main configuration, including database configuration.

Defacement or complete portal compromise is possible including having access to the database.


+] Notes 

Joomla has been contacted on 12/4/2007. Fast and professional response was given. Patched in SVN 4 days later and then with the RC4 release.
Time to face CSRF, community!

+] Patch

Patch of the above vulnerabilities is included into the RC4 release of Joomla 1.5
As far as I know 1.0 has not been fixed so all the 1.0.x versions are vulnerable and unpatched,
that's why I'm not including a POC here.

________
http://kit.hackerscenter.com - The most comprehensive security pack you will ever find on the net!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ