[HSC] Multiple CSRF in Joomla all versions - Complete compromise
Hackers Center Security Group (http://www.hackerscenter.com)
Credit: Armando Romeo aka Zinho
Version: All (1.0.13 and 1.5 rc3 tested)
Patch: Joomla 1.5 RC4
"Joomla! is one of the most powerful Open Source Content Management
Systems on the planet. It is used all over the world for everything
from simple websites to complex corporate applications. Joomla! is easy
to install, simple to manage, and reliable"
Joomla is vulnerable to CSRF attacks into all of its released versions
including the RC3 of 1.5.
+] Affected areas
The attack allows everyone (no privileges needed) to add a new Super
Admin by just having a Super Admin visiting a url
The attack allow everyone (no privileges needed) to upload an extension
from a remote location, thus having malicious PHP scripts on server.
Read PHP shell.
The attack allows everyone (no privileges needed) to change all the
aspects of the site main configuration, including database configuration.
Defacement or complete portal compromise is possible including having
access to the database.
Joomla has been contacted on 12/4/2007. Fast and professional response
was given. Patched in SVN 4 days later and then with the RC4 release.
Time to face CSRF, community!
Patch of the above vulnerabilities is included into the RC4 release of
As far as I know 1.0 has not been fixed so all the 1.0.x versions are
vulnerable and unpatched,
that's why I'm not including a POC here.
http://kit.hackerscenter.com - The most comprehensive security pack you
will ever find on the net!
Webmaster and Founder
Internet Security Portal