Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:28062
HistoryMay 10, 2012 - 12:00 a.m.

[waraxe-2012-SA#088] - Reflected XSS in Joomla 2.5.4 admin sysinfo page

2012-05-1000:00:00
vulners.com
41
JSON

[waraxe-2012-SA#088] - Reflected XSS in Joomla 2.5.4 admin sysinfo page

Author: Janek Vind "waraxe"
Date: 03. May 2012
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-88.html
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2412

Description of vulnerable software:


Joomla is one of the world's most popular open source CMS (content management
system). With millions of websites running on Joomla, the software is used by
individuals, small & medium-sized businesses, and large organizations worldwide
to easily create & build a variety of websites & web-enabled applications. 


Vulnerable versions

Affected is Joomla version 2.5.4, older versions may be vulnerable as well.

###############################################################################

  1. Reflected XSS in Joomla 2.5.4 admin sysinfo page
    ###############################################################################

CVE Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2012-2412 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

Vulnerability Details:

Reason: outputting html data without proper encoding
Attack vector: user-provided User-Agent string
Preconditions:
1. target victim must be logged in as admin
Result: XSS attack possibilities

Source code snippet from "sysinfo.php":
-----------------[ source code start ]---------------------------------
function &getInfo()
{

$this->info['useragent'] = $_SERVER['HTTP_USER_AGENT'];
-----------------[ source code end ]-----------------------------------

Source code snippet from "default_system.php":
-----------------[ source code start ]---------------------------------
<td>
<?php echo $this->info['useragent'];?>
</td>
-----------------[ source code end ]-----------------------------------

As seen above, user-provided User-Agent string is used for outputting html.
No data sanitization, which indicates Reflected XSS vulnerability issue.

Disclosure Timeline:


20.04.2012 Developers contacted via email, no response
24.04.2012 CVE identifier request
25.04.2012 Got CVE identifier
26.04.2012 Second attempt contacting developers via email, no response
03.05.2012 Advisory published


Contact:

[email protected]
Janek Vind "waraxe"

Waraxe forum: http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
Random project: http://albumnow.com/
---------------------------------- [ EOF ] ------------------------------------

Related

packetstorm 1
cve 1
securityvulns 1
packetstorm
packetstorm
Joomla 2.5.4 Cross Site Scripting
2012-05-03 00:00:00
cve
cve
CVE-2012-2412
2020-02-17 22:15:00
securityvulns
securityvulns
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2012-05-10 00:00:00
JSON
Related for SECURITYVULNS:DOC:28062
packetstorm1cve1securityvulns1