[waraxe-2012-SA#087] - Reflected XSS in Joomla 1.5.26 "ja_purity" template =============================================================================== Author: Janek Vind "waraxe" Date: 03. May 2012 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-87.html CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2413 Description of vulnerable software: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Joomla is one of the world's most popular open source CMS (content management system). With millions of websites running on Joomla, the software is used by individuals, small & medium-sized businesses, and large organizations worldwide to easily create & build a variety of websites & web-enabled applications. Vulnerable versions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Affected is Joomla version 1.5.26, older versions may be vulnerable as well. ############################################################################### 1. Reflected XSS in Joomla 1.5.26 "ja_purity" template ############################################################################### CVE Information: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2012-2413 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. Vulnerability Details: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Reason: outputting html data without proper encoding Attack vector: user-provided cookie parameter Preconditions: 1. "ja_purity" template must be in use Result: XSS attack possibilities Source code snippet from "templates/ja_purity/html/modules.php": -----------------[ source code start ]--------------------------------- function modChrome_jarounded($module, &$params, &$attribs) { ?> <div class="jamod module<?php echo $params->get('moduleclass_sfx'); ?>" id="Mod<?php echo $module->id; ?>"> <div> <div> <div> <?php if ($module->showtitle != 0) : ?> <?php if(isset($_COOKIE['Mod'.$module->id])) $modhide = $_COOKIE['Mod'.$module->id]; else $modhide = 'show'; ?> <h3 class="<?php echo $modhide; ?>"><span><?php echo $module->title; ?></span></h3> -----------------[ source code end ]----------------------------------- As seen above, user-provided cookie parameter is used for outputting html. No data sanitization, which indicates Reflected XSS vulnerability issue. Disclosure Timeline: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 20.04.2012 Developers contacted via email, no response 24.04.2012 CVE identifier request 25.04.2012 Got CVE identifier 26.04.2012 Second attempt contacting developers via email, no response 03.05.2012 Advisory published Contact: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ come2waraxe@yahoo.com Janek Vind "waraxe" Waraxe forum: http://www.waraxe.us/forums.html Personal homepage: http://www.janekvind.com/ Random project: http://albumnow.com/ ---------------------------------- [ EOF ] ------------------------------------