SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Forum/Board/Portal)  >   Joomla! Vendors:   joomla.org
Joomla! Input Validation Hole Permits Cross-Site Request Forgery Attacks
SecurityTracker Alert ID:  1019145
SecurityTracker URL:  http://securitytracker.com/id/1019145
CVE Reference:   CVE-2007-6642, CVE-2007-6643, CVE-2007-6644, CVE-2007-6645   (Links to External Site)
Updated:  Jan 4 2008
Original Entry Date:  Dec 27 2007
Impact:   Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.5 RC3 and prior versions
Description:   Armando Romeo (aka Zinho) from Hackers Center Security Group reported a vulnerability in Joomla!. A remote user can conduct cross-site request forgery attacks to gain administrative privileges.

Several administrative components do not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target authenticated administrator, will cause arbitrary requests to be executed by the target user's browser. The requests can take actions on the site acting as the target administrator.

This can be exploited to modify the application's configuration. This can also be exploited to upload arbitrary PHP code and subsequently execute arbitrary commands on the target system.

The vendor separately reported other vulnerabilities: A remote authenticated user can gain elevated privileges; A fixed administrator can include other users in the administrator group; a remote user can conduct cross-site scripting attacks via com_poll.

Impact:   A remote user can take actions on the site acting as the target administrative user, including modifying the application's configuration or database and uploading and executing arbitrary PHP code.
Solution:   The vendor has issued a fixed version (1.5 RC4).
Vendor URL:  www.joomla.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Date:  Thu, 27 Dec 2007 20:40:42 +0100
Subject:  [HSC Security Group] Multiple CSRF in Joomla all versions - Complete

[HSC] Multiple CSRF in Joomla all versions - Complete compromise


Hackers Center Security Group (http://www.hackerscenter.com)
Credit: Armando Romeo aka Zinho


Class: CSRF
Remote: Yes
Risk: HIGH

Product: Joomla
Version: All (1.0.13 and 1.5 rc3 tested)
Vendor: http://www.joomla.com
Patch: Joomla 1.5 RC4



"Joomla! is one of the most powerful Open Source Content Management 
Systems on the planet. It is used all over the world for everything
from simple websites to complex corporate applications. Joomla! is easy 
to install, simple to manage, and reliable"



Joomla is vulnerable to CSRF attacks into all of its released versions 
including the RC3 of 1.5.


+] Affected areas

-Users
The attack allows everyone (no privileges needed) to add a new Super 
Admin by just having a Super Admin visiting a url

-Extension installation
The attack allow everyone (no privileges needed) to upload an extension 
from a remote location, thus having malicious PHP scripts on server.
Read PHP shell.

-Global configuration
The attack allows everyone (no privileges needed) to change all the 
aspects of the site main configuration, including database configuration.

Defacement or complete portal compromise is possible including having 
access to the database.


+] Notes

Joomla has been contacted on 12/4/2007. Fast and professional response 
was given. Patched in SVN 4 days later and then with the RC4 release.
Time to face CSRF, community!

+] Patch

Patch of the above vulnerabilities is included into the RC4 release of 
Joomla 1.5
As far as I know 1.0 has not been fixed so all the 1.0.x versions are 
vulnerable and unpatched,
that's why I'm not including a POC here.

http://kit.hackerscenter.com - The most comprehensive security pack you 
will ever find on the net!










-- 
----
Zinho

Webmaster and Founder 

Hackers Center 
Internet Security Portal
www.hackerscenter.com



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC