[waraxe-2012-SA#088] - Reflected XSS in Joomla 2.5.4 admin sysinfo page =============================================================================== Author: Janek Vind "waraxe" Date: 03. May 2012 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-88.html CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2412 Description of vulnerable software: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Joomla is one of the world's most popular open source CMS (content management system). With millions of websites running on Joomla, the software is used by individuals, small & medium-sized businesses, and large organizations worldwide to easily create & build a variety of websites & web-enabled applications. Vulnerable versions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Affected is Joomla version 2.5.4, older versions may be vulnerable as well. ############################################################################### 1. Reflected XSS in Joomla 2.5.4 admin sysinfo page ############################################################################### CVE Information: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2012-2412 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. Vulnerability Details: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Reason: outputting html data without proper encoding Attack vector: user-provided User-Agent string Preconditions: 1. target victim must be logged in as admin Result: XSS attack possibilities Source code snippet from "sysinfo.php": -----------------[ source code start ]--------------------------------- function &getInfo() { .. $this->info['useragent'] = $_SERVER['HTTP_USER_AGENT']; -----------------[ source code end ]----------------------------------- Source code snippet from "default_system.php": -----------------[ source code start ]--------------------------------- <td> <?php echo $this->info['useragent'];?> </td> -----------------[ source code end ]----------------------------------- As seen above, user-provided User-Agent string is used for outputting html. No data sanitization, which indicates Reflected XSS vulnerability issue. Disclosure Timeline: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 20.04.2012 Developers contacted via email, no response 24.04.2012 CVE identifier request 25.04.2012 Got CVE identifier 26.04.2012 Second attempt contacting developers via email, no response 03.05.2012 Advisory published Contact: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ come2waraxe@yahoo.com Janek Vind "waraxe" Waraxe forum: http://www.waraxe.us/forums.html Personal homepage: http://www.janekvind.com/ Random project: http://albumnow.com/ ---------------------------------- [ EOF ] ------------------------------------