Joomla 1.5.26 ja_purity Cross Site Scripting

`  
[waraxe-2012-SA#087] - Reflected XSS in Joomla 1.5.26 "ja_purity" template  
===============================================================================  
  
Author: Janek Vind "waraxe"  
Date: 03. May 2012  
Location: Estonia, Tartu  
Web: http://www.waraxe.us/advisory-87.html  
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2413  
  
Description of vulnerable software:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Joomla is one of the world's most popular open source CMS (content management  
system). With millions of websites running on Joomla, the software is used by  
individuals, small & medium-sized businesses, and large organizations worldwide  
to easily create & build a variety of websites & web-enabled applications.   
  
  
Vulnerable versions  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Affected is Joomla version 1.5.26, older versions may be vulnerable as well.  
  
###############################################################################  
1. Reflected XSS in Joomla 1.5.26 "ja_purity" template  
###############################################################################  
  
CVE Information:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
The Common Vulnerabilities and Exposures (CVE) project has assigned the  
name CVE-2012-2413 to this issue. This is a candidate for inclusion in  
the CVE list (http://cve.mitre.org/), which standardizes names for  
security problems.  
  
Vulnerability Details:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Reason: outputting html data without proper encoding  
Attack vector: user-provided cookie parameter  
Preconditions:  
1. "ja_purity" template must be in use  
Result: XSS attack possibilities  
  
  
Source code snippet from "templates/ja_purity/html/modules.php":  
-----------------[ source code start ]---------------------------------  
function modChrome_jarounded($module, &$params, &$attribs)  
{   
?>  
<div class="jamod module<?php echo $params->get('moduleclass_sfx'); ?>" id="Mod<?php echo $module->id; ?>">  
<div>  
<div>  
<div>  
<?php if ($module->showtitle != 0) : ?>  
<?php  
if(isset($_COOKIE['Mod'.$module->id])) $modhide = $_COOKIE['Mod'.$module->id];  
else $modhide = 'show';  
?>  
<h3 class="<?php echo $modhide; ?>"><span><?php echo $module->title; ?></span></h3>  
-----------------[ source code end ]-----------------------------------  
  
As seen above, user-provided cookie parameter is used for outputting html.  
No data sanitization, which indicates Reflected XSS vulnerability issue.  
  
  
Disclosure Timeline:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
20.04.2012 Developers contacted via email, no response  
24.04.2012 CVE identifier request  
25.04.2012 Got CVE identifier  
26.04.2012 Second attempt contacting developers via email, no response  
03.05.2012 Advisory published  
  
  
Contact:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
[email protected]  
Janek Vind "waraxe"  
  
Waraxe forum: http://www.waraxe.us/forums.html  
Personal homepage: http://www.janekvind.com/  
Random project: http://albumnow.com/  
---------------------------------- [ EOF ] ------------------------------------  
`