Joomla 2.5.4 Cross Site Scripting

🗓️ 03 May 2012 00:00:00Reported by Janek Vind aka waraxeType

packetstorm🔗 packetstormsecurity.com👁 45 Views

Joomla 2.5.4 Cross Site Scripting in admin sysinfo pag

Reporter	Title	Published	Views	Family All 6
Circl	CVE-2012-2412	18 Feb 202000:36	–	circl
CVE	CVE-2012-2412	17 Feb 202021:34	–	cve
Cvelist	CVE-2012-2412	17 Feb 202021:34	–	cvelist
NVD	CVE-2012-2412	17 Feb 202022:15	–	nvd
securityvulns	[waraxe-2012-SA#088] - Reflected XSS in Joomla 2.5.4 admin sysinfo page	10 May 201200:00	–	securityvulns
securityvulns	Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)	10 May 201200:00	–	securityvulns

`  
[waraxe-2012-SA#088] - Reflected XSS in Joomla 2.5.4 admin sysinfo page  
===============================================================================  
  
Author: Janek Vind "waraxe"  
Date: 03. May 2012  
Location: Estonia, Tartu  
Web: http://www.waraxe.us/advisory-88.html  
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2412  
  
Description of vulnerable software:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Joomla is one of the world's most popular open source CMS (content management  
system). With millions of websites running on Joomla, the software is used by  
individuals, small & medium-sized businesses, and large organizations worldwide  
to easily create & build a variety of websites & web-enabled applications.   
  
  
Vulnerable versions  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Affected is Joomla version 2.5.4, older versions may be vulnerable as well.  
  
###############################################################################  
1. Reflected XSS in Joomla 2.5.4 admin sysinfo page  
###############################################################################  
  
CVE Information:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
The Common Vulnerabilities and Exposures (CVE) project has assigned the  
name CVE-2012-2412 to this issue. This is a candidate for inclusion in  
the CVE list (http://cve.mitre.org/), which standardizes names for  
security problems.  
  
Vulnerability Details:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Reason: outputting html data without proper encoding  
Attack vector: user-provided User-Agent string  
Preconditions:  
1. target victim must be logged in as admin  
Result: XSS attack possibilities  
  
  
Source code snippet from "sysinfo.php":  
-----------------[ source code start ]---------------------------------  
function &getInfo()  
{  
..  
$this->info['useragent'] = $_SERVER['HTTP_USER_AGENT'];  
-----------------[ source code end ]-----------------------------------  
  
  
Source code snippet from "default_system.php":  
-----------------[ source code start ]---------------------------------  
<td>  
<?php echo $this->info['useragent'];?>  
</td>  
-----------------[ source code end ]-----------------------------------  
  
As seen above, user-provided User-Agent string is used for outputting html.  
No data sanitization, which indicates Reflected XSS vulnerability issue.  
  
  
Disclosure Timeline:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
20.04.2012 Developers contacted via email, no response  
24.04.2012 CVE identifier request  
25.04.2012 Got CVE identifier  
26.04.2012 Second attempt contacting developers via email, no response  
03.05.2012 Advisory published  
  
  
Contact:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
[email protected]  
Janek Vind "waraxe"  
  
Waraxe forum: http://www.waraxe.us/forums.html  
Personal homepage: http://www.janekvind.com/  
Random project: http://albumnow.com/  
---------------------------------- [ EOF ] ------------------------------------  
`

03 May 2012 00:00Current

0.1Low risk

Vulners AI Score0.1