Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 13 Oct 2014 21:20:24 +0200
From: Egidio Romano <n0b0d13s@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE Rejection Request: CVE-2014-7983 Joomla com_contact Persistent XSS

Hello,

I believe this CVE [1] should be rejected for the following reason: the
vulnerable parameter (jform[contact_email]) [2] is "persistent" only within
a session variable, which happens within the ContactControllerContact::submit()
method, where the data submitted to the contact form is stored inside the
"com_contact.contact.data" session variable [3] through the
JApplication::setUserState() method [4]. This means that a potential
attacker can be able to execute evil JavaScript/HTML code only within its
own session, not affecting the security of other Joomla! users or website
visitors. Even though the same "issue" might be exploited as a reflected
XSS vulnerability, in my view it still cannot be considered a security
threat because, in order to do that, the attacker needs to know the session
token of the victim user, since the ContactControllerContact::submit()
method calls the JSession::checkToken() method [5] to prevent cross-site
request forgeries (CSRF).

Please let me know if you believe I'm wrong or I'm missing something. Thank
you.

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7983
[2]
http://hauntit.blogspot.it/2014/03/en-joomla-322-pre-auth-persistent-xss.html
[3]
https://github.com/joomla/joomla-cms/blob/3.2.2/components/com_contact/controllers/contact.php#L86
[4] http://docs.joomla.org/How_to_use_user_state_variables
[5]
https://github.com/joomla/joomla-cms/blob/3.2.2/components/com_contact/controllers/contact.php#L26

Best regards,
Egidio

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ