Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 21 Jul 2010 13:43:55 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: lcars@...rt.org, coley <coley@...re.org>
Subject: Re: [oCERT-2010-002] Joomla input sanitization
 errors (XSS)

Please use CVE-2010-2535 for this.

Thanks.

-- 
    JB


----- "Andrea Barisani" <lcars@...rt.org> wrote:

> #2010-002 Joomla input sanitization errors (XSS)
> 
> Description:
> 
> Joomla, an open source content management system, suffers from a
> cross-site
> scripting (XSS) vulnerability.
> 
> Insufficient input sanitization on the parameters passed to pages
> related to
> administration settings leads to arbitrary javascript injection in the
> context
> of the user session, this could be potentially exploited to hijack the
> session
> of the Joomla administrator.
> 
> Affected version:
> 
> Joomla <= 1.5.19
> 
> Fixed version:
> 
> Joomla >= 1.5.20
> 
> Credit: vulnerability report and PoC received from Mesut Timur <mesut
> [at]
> mavitunasecurity [dot] com>.
> 
> CVE: N/A
> 
> Timeline:
> 
> 2010-06-01: vulnerability report received
> 2010-06-01: contacted Joomla Security Team
> 2010-07-15: Joomla advisory published
> 2010-07-20: oCERT advisory published
> 
> References:
> http://developer.joomla.org/security/news/318-20100704-core-xss-vulnerabilitis-in-back-end.html
> 
> Permalink:
> http://www.ocert.org/advisories/ocert-2010-002.html
> 
> -- 
> Andrea Barisani |                Founder & Project Coordinator
>           oCERT | Open Source Computer Emergency Response Team
> 
> <lcars@...rt.org>                         http://www.ocert.org
>  0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
>         "Pluralitas non est ponenda sine necessitate"

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ