[waraxe-2012-SA#088] - Reflected XSS in Joomla 2.5.4 admin sysinfo page

2012-05-10T00:00:00
ID SECURITYVULNS:DOC:28062
Type securityvulns
Reporter Securityvulns
Modified 2012-05-10T00:00:00

Description

[waraxe-2012-SA#088] - Reflected XSS in Joomla 2.5.4 admin sysinfo page

Author: Janek Vind "waraxe" Date: 03. May 2012 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-88.html CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2412

Description of vulnerable software: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Joomla is one of the world's most popular open source CMS (content management system). With millions of websites running on Joomla, the software is used by individuals, small & medium-sized businesses, and large organizations worldwide to easily create & build a variety of websites & web-enabled applications.

Vulnerable versions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Affected is Joomla version 2.5.4, older versions may be vulnerable as well.

  1. Reflected XSS in Joomla 2.5.4 admin sysinfo page

CVE Information: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2012-2412 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.

Vulnerability Details: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Reason: outputting html data without proper encoding Attack vector: user-provided User-Agent string Preconditions: 1. target victim must be logged in as admin Result: XSS attack possibilities

Source code snippet from "sysinfo.php": -----------------[ source code start ]--------------------------------- function &getInfo() { .. $this->info['useragent'] = $_SERVER['HTTP_USER_AGENT']; -----------------[ source code end ]-----------------------------------

Source code snippet from "default_system.php": -----------------[ source code start ]--------------------------------- <td> <?php echo $this->info['useragent'];?> </td> -----------------[ source code end ]-----------------------------------

As seen above, user-provided User-Agent string is used for outputting html. No data sanitization, which indicates Reflected XSS vulnerability issue.

Disclosure Timeline: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

20.04.2012 Developers contacted via email, no response 24.04.2012 CVE identifier request 25.04.2012 Got CVE identifier 26.04.2012 Second attempt contacting developers via email, no response 03.05.2012 Advisory published

Contact: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com Janek Vind "waraxe"

Waraxe forum: http://www.waraxe.us/forums.html Personal homepage: http://www.janekvind.com/ Random project: http://albumnow.com/ ---------------------------------- [ EOF ] ------------------------------------