cgTestimonial 2.2 Joomla Component Multiple Remote Vulnerabilities

2010-08-09T00:00:00
ID SECURITYVULNS:DOC:24444
Type securityvulns
Reporter Securityvulns
Modified 2010-08-09T00:00:00

Description

cgTestimonial 2.2 Joomla Component Multiple Remote Vulnerabilities

Name cgTestimonial Vendor http://www.cmsgalaxy.com Versions Affected 2.2

Author Salvatore Fresta aka Drosophila Website http://www.salvatorefresta.net Contact salvatorefresta [at] gmail [dot] com Date 2010-08-06

X. INDEX

I. ABOUT THE APPLICATION II. DESCRIPTION III. ANALYSIS IV. SAMPLE CODE V. FIX

I. ABOUT THE APPLICATION


cg_Testimonial component is a tool for adding testimonial by the user from frontend and managing and publishing testimonials from backend. This Joomla extension allows website user to submit a testimonials form with several fields on one of your site's page and enable adding testimonials by either users or admin.

II. DESCRIPTION


Some parameters are not properly sanitised.The following vulnerabilities can be exploited from guest users.

III. ANALYSIS


Summary:

A) Multiple Arbitrary File Upload B) XSS

A) Multiple Arbitrary File Upload


The usr_img parameter in cgtestimonial.php (frontend) and in testimonial.php (admin, without checks) is not properly sanitised. A check is executed on the content- type HTTP field.

B) XSS


The url parameter in video.php is not properly sanitised before being printed on screen.

IV. SAMPLE CODE


A) Multiple Arbitrary File Upload

http://poc.salvatorefresta.net/PoC-cgTestimonial2.2.pl.txt

B) XSS

http://site/path/components/com_cgtestimonial/video.php?url="><script>alert('xss');</script>

V. FIX


No fix.