FOREGROUND SECURITY, SECURITY ADVISORY 2013-001
Algis Info aiContactSafe Extension 2.0.19 (latest) Cross-Site Scripting (XSS) vulnerability - (prior versions have not been checked but could be vulnerable too).
Algis Info aiContactSafe is a native Joomla component developed by Algis Info.
You can use it to place a complex contact form on your web page.
Here are some of the facilities that it can offer:
Algis Info aicontactsafe 2.0.19 (latest) Extension presents a Cross-Site Scripting (XSS) vulnerability in the "url" due to an insufficient input/output sanitization.
A malicious user could perform session hijacking or phishing attacks.
(This section has been removed per vendor request).
An attacker could perform session hijacking or phishing attacks.
Joomla Extension, AlgisInfo com_aicontactsafe_2_0_19_stable Extension (prior versions have not been checked but could be vulnerable too).
Fixed on 2.0.21.stable version release.
http://www.algisinfo.com/
http://www.foregroundsecurity.com/
This vulnerability has been discovered by Adam Willard (awillard (at) foregroundsecurity (dot) com), verification and release coordination by Jose Carlos de Arriba (jcarriba (at) foregroundsecurity (dot) com).
April 2, 2013: Vulnerability discovered by Adam Willard.
April 3, 2013: Vulnerability verified by Jose Carlos de Arriba.
April 15: AlgisInfo aiContactSafe Author contacted by email.
April 15: Response from author and security advisory sent to him.
April 16: Vulnerability fixed on 2.0.21.stable version release
July 10: Security advisory released
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Jose Carlos de Arriba, CISSP
Pentest Team Manager
Foreground Security
305-340-9964
jcarriba (at) foregroundsecurity . com
www.foregroundsecurity.com