Joomla 3.1.5 Cross Site Scripting

2013-08-06T00:00:00
ID PACKETSTORM:122695
Type packetstorm
Reporter Emilio Pinna
Modified 2013-08-06T00:00:00

Description

                                        
                                            `============================================================  
- Original release date: August 05, 2013  
- Discovered by: Emilio Pinna (Application Security Analyst at Abinsula)  
- Contact: (emilio (dot) pinn (at) gmail (dot) com)  
- Severity: 4.3/10 (Base CVSS Score)  
============================================================  
  
VULNERABILITY  
-------------------------  
Joomla core package <= 3.1.5 includes a PHP script that suffers from  
reflected XSS vulnerability that allows to inject HTML and malicious  
scripts that can access any cookies, session tokens, or other  
sensitive information retained by your browser and used with that  
site.  
  
Joomla is one of the most installed CMS with dozens of millions of  
installations.  
  
DESCRIPTION  
-------------------------  
Affected file libraries/idna_convert/example.php has different injection points:  
  
- Unsanitized lang parameter in line 24  
- Unsanitized file name printing on lines 112 and 119  
  
PROOF OF CONCEPT  
-------------------------  
  
http://localhost/joomla/libraries/idna_convert/example.php?lang="><script>alert(document.cookie);</script><!--  
  
BUSINESS IMPACT  
-------------------------  
As usual, attackers can exploit these weaknesses to execute arbitrary  
HTML and script code in a user's browser session that visits the  
malicious crafted url.  
  
SYSTEMS AFFECTED  
-------------------------  
Joomla-CMS <= 3.1.5  
  
SOLUTION  
-------------------------  
Fixed removing the vulnerable example file on git with commit  
c00c033d33d901e1ca6be9061a44e55acd041b1f  
  
REFERENCES  
-------------------------  
http://disse.cting.org/2013/08/05/joomla-core-3_1_5_reflected-xss-vulnerability/  
https://github.com/joomla/joomla-cms/issues/1658  
  
CREDITS  
-------------------------  
Emilio Pinna (emilio (dot) pinn (at) gmail (dot) com)  
  
DISCLOSURE TIMELINE  
-------------------------  
August 4, 2013: Opened a ticket describing the bug by Adam Willard.  
August 5, 2013: Fixed by Michael Babker.  
August 5, 2013: Vulnerability disclosed by Emilio Pinna.  
  
LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is"  
with no warranties or guarantees of fitness of use or otherwise.  
`