Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Joomla 1.5.26 ja_purity Cross Site Scripting

Related Vulnerabilities: CVE-2012-2413  
Publish Date: 03 May 2012
Author: Janek Vind aka waraxe, waraxe.us
Source 
                							

                
[waraxe-2012-SA#087] - Reflected XSS in Joomla 1.5.26 "ja_purity" template
===============================================================================

Author: Janek Vind "waraxe"
Date: 03. May 2012
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-87.html
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2413

Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Joomla is one of the world's most popular open source CMS (content management
system). With millions of websites running on Joomla, the software is used by
individuals, small & medium-sized businesses, and large organizations worldwide
to easily create & build a variety of websites & web-enabled applications. 


Vulnerable versions
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Affected is Joomla version 1.5.26, older versions may be vulnerable as well.

###############################################################################
1. Reflected XSS in Joomla 1.5.26 "ja_purity" template
###############################################################################

CVE Information:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2012-2413 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

Vulnerability Details:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reason: outputting html data without proper encoding
Attack vector: user-provided cookie parameter
Preconditions:
  1. "ja_purity" template must be in use
Result: XSS attack possibilities


Source code snippet from "templates/ja_purity/html/modules.php":
-----------------[ source code start ]---------------------------------
function modChrome_jarounded($module, &$params, &$attribs)
{ 
?>
    <div class="jamod module<?php echo $params->get('moduleclass_sfx'); ?>" id="Mod<?php echo $module->id; ?>">
      <div>
        <div>
          <div>
            <?php if ($module->showtitle != 0) : ?>
            <?php
            if(isset($_COOKIE['Mod'.$module->id])) $modhide = $_COOKIE['Mod'.$module->id];
            else $modhide = 'show';
            ?>
            <h3 class="<?php echo $modhide; ?>"><span><?php echo $module->title; ?></span></h3>
-----------------[ source code end ]-----------------------------------

As seen above, user-provided cookie parameter is used for outputting html.
No data sanitization, which indicates Reflected XSS vulnerability issue.


Disclosure Timeline:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

20.04.2012 Developers contacted via email, no response
24.04.2012 CVE identifier request
25.04.2012 Got CVE identifier
26.04.2012 Second attempt contacting developers via email, no response
03.05.2012 Advisory published


Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Waraxe forum:  http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
Random project: http://albumnow.com/
---------------------------------- [ EOF ] ------------------------------------
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started