Lucene search

K
packetstormJanek Vind aka waraxePACKETSTORM:112451
HistoryMay 03, 2012 - 12:00 a.m.

Joomla 2.5.4 Cross Site Scripting

2012-05-0300:00:00
Janek Vind aka waraxe
packetstormsecurity.com
33

EPSS

0.002

Percentile

64.3%

`  
[waraxe-2012-SA#088] - Reflected XSS in Joomla 2.5.4 admin sysinfo page  
===============================================================================  
  
Author: Janek Vind "waraxe"  
Date: 03. May 2012  
Location: Estonia, Tartu  
Web: http://www.waraxe.us/advisory-88.html  
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2412  
  
Description of vulnerable software:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Joomla is one of the world's most popular open source CMS (content management  
system). With millions of websites running on Joomla, the software is used by  
individuals, small & medium-sized businesses, and large organizations worldwide  
to easily create & build a variety of websites & web-enabled applications.   
  
  
Vulnerable versions  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Affected is Joomla version 2.5.4, older versions may be vulnerable as well.  
  
###############################################################################  
1. Reflected XSS in Joomla 2.5.4 admin sysinfo page  
###############################################################################  
  
CVE Information:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
The Common Vulnerabilities and Exposures (CVE) project has assigned the  
name CVE-2012-2412 to this issue. This is a candidate for inclusion in  
the CVE list (http://cve.mitre.org/), which standardizes names for  
security problems.  
  
Vulnerability Details:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Reason: outputting html data without proper encoding  
Attack vector: user-provided User-Agent string  
Preconditions:  
1. target victim must be logged in as admin  
Result: XSS attack possibilities  
  
  
Source code snippet from "sysinfo.php":  
-----------------[ source code start ]---------------------------------  
function &getInfo()  
{  
..  
$this->info['useragent'] = $_SERVER['HTTP_USER_AGENT'];  
-----------------[ source code end ]-----------------------------------  
  
  
Source code snippet from "default_system.php":  
-----------------[ source code start ]---------------------------------  
<td>  
<?php echo $this->info['useragent'];?>  
</td>  
-----------------[ source code end ]-----------------------------------  
  
As seen above, user-provided User-Agent string is used for outputting html.  
No data sanitization, which indicates Reflected XSS vulnerability issue.  
  
  
Disclosure Timeline:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
20.04.2012 Developers contacted via email, no response  
24.04.2012 CVE identifier request  
25.04.2012 Got CVE identifier  
26.04.2012 Second attempt contacting developers via email, no response  
03.05.2012 Advisory published  
  
  
Contact:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
[email protected]  
Janek Vind "waraxe"  
  
Waraxe forum: http://www.waraxe.us/forums.html  
Personal homepage: http://www.janekvind.com/  
Random project: http://albumnow.com/  
---------------------------------- [ EOF ] ------------------------------------  
`

EPSS

0.002

Percentile

64.3%

Related for PACKETSTORM:112451