Full Disclosure mailing list archives
Re: Joomla! 1.0.x ~ 1.0.15 | Cross Site Scripting (XSS) Vulnerability
From: YGN Ethical Hacker Group <lists () yehg net>
Date: Fri, 14 Jan 2011 02:43:23 +0800
Niels Braczek From Germany Joomla! Community has released a patch: http://www.joomlaportal.de/sicherheit/241658-joomla-1-0-x-1-0-15-cross-site-scripting-xss-vulnerability.html It uses the same Joomla! filtering function and thus it's supposed to safe. For your convenience, download the patched file from http://yehg.net/lab/pr0js/advisories/joomla/core/patched_com_search.zip 5368aa00b2d4746e025baa030babc888 Updated advisory. ============================================================================== Joomla! 1.0.x ~ 1.0.15 | Cross Site Scripting (XSS) Vulnerability ============================================================================== 1. OVERVIEW The Joomla! 1.0.x series are currently vulnerable to Cross Site Scripting. CVE ID, CVE-2011-0005, has been assigned for it. 2. BACKGROUND Joomla! is a free and open source content management system (CMS) for publishing content on the World Wide Web and intranets. 3. VULNERABILITY DESCRIPTION The "ordering" parameter in a core module,com_search, is not properly sanitized and thus vulnerable to XSS. By leveraging this vulnerability, attackers can compromise currently logged-in user/administrator session and impersonate arbitrary user actions available under /administrator/ functions. As the vulnerability is based on the core module, it affects both classic and customized Joomla! 1.0.x based web sites. 4. VERSIONS AFFECTED Joomla! 1.0.x ~ 1.0.15 series 5. PROOF-OF-CONCEPT/EXPLOIT http://attacker.in/joomla1015/index.php?option=com_search&searchword=xss&searchphrase=any&ordering=newest%22%20onmousemove=alert%28document.cookie%29%20style=position:fixed;top:0;left:0;width:100%;height:100%;%22 6. SOLUTION Joomla 1.0.x series has been at end of life since 2009-07-22. Upgrade to Joomla! 1.5.x family (1.5.22 as of 2011-01-06) Apply the third-party patch: http://www.joomlaportal.de/sicherheit/241658-joomla-1-0-x-1-0-15-cross-site-scripting-xss-vulnerability.html 7. VENDOR Joomla! Developer Team http://www.joomla.org 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2011-01-03: notified Joomla! Security Strike Team regardless of EOL status 2011-01-06: vulnerability disclosed 2011-01-07: vendor confirmed that they would not release patch 10. VENDOR RESPONSE
While noted, your exploit report does not fall within the JSST remit as we no longer support J1.0.x branch (as you are aware and indicate). The vulnerability mentioned is not known to exist in any current supported release. Please ensure you are using the latest version of Joomla!
11. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/joomla/core/[joomla_1.0.x~15]_cross_site_scripting Patched File: http://yehg.net/lab/pr0js/advisories/joomla/core/patched_com_search.zip Joomla! 1.0.x End of Life - http://community.joomla.org/blogs/community/509-an-old-friend-comes-of-age.html OWASP Top 10: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project CWE-79: http://cwe.mitre.org/data/definitions/79.html #yehg [2011-01-06] #updated - 2011-01-14 - added patched link #updated - 2011-01-07 - added VENDOR RESPONSE, CVE ID _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Joomla! 1.0.x ~ 1.0.15 | Cross Site Scripting (XSS) Vulnerability YGN Ethical Hacker Group (Jan 05)
- Re: Joomla! 1.0.x ~ 1.0.15 | Cross Site Scripting (XSS) Vulnerability YGN Ethical Hacker Group (Jan 07)
- Re: Joomla! 1.0.x ~ 1.0.15 | Cross Site Scripting (XSS) Vulnerability YGN Ethical Hacker Group (Jan 13)
- Re: Joomla! 1.0.x ~ 1.0.15 | Cross Site Scripting (XSS) Vulnerability YGN Ethical Hacker Group (Jan 13)