Re: [Full-disclosure] Joomla! 1.0.x ~ 1.0.15 | Cross Site Scripting (XSS) Vulnerability

Niels Braczek From Germany Joomla! Community has released a patch:

http://www.joomlaportal.de/sicherheit/241658-joomla-1-0-x-1-0-15-cross-site-scripting-xss-vulnerability.html

It uses the same Joomla! filtering function and thus it's supposed to safe.


For your convenience, download the patched file from
http://yehg.net/lab/pr0js/advisories/joomla/core/patched_com_search.zip
5368aa00b2d4746e025baa030babc888





Updated advisory.


==============================================================================
Joomla! 1.0.x ~ 1.0.15 | Cross Site Scripting (XSS) Vulnerability
==============================================================================


1. OVERVIEW

The Joomla! 1.0.x series are currently vulnerable to Cross Site Scripting.
CVE ID, CVE-2011-0005, has been assigned for it.


2. BACKGROUND

Joomla! is a free and open source content management system (CMS) for
publishing content on the World Wide Web and intranets.


3. VULNERABILITY DESCRIPTION

The "ordering" parameter in a core module,com_search, is not properly
sanitized and thus vulnerable to XSS.
By leveraging this vulnerability, attackers can compromise currently
logged-in user/administrator session and impersonate arbitrary user actions
available under /administrator/ functions. As the vulnerability is based on
the core module, it affects both classic and customized Joomla! 1.0.x based
web sites.


4. VERSIONS AFFECTED

Joomla! 1.0.x ~ 1.0.15 series


5. PROOF-OF-CONCEPT/EXPLOIT

http://attacker.in/joomla1015/index.php?option=com_search&searchword=xss&searchphrase=any&ordering=newest%22%20onmousemove=alert%28document.cookie%29%20style=position:fixed;top:0;left:0;width:100%;height:100%;%22


6. SOLUTION

Joomla 1.0.x series has been at end of life since 2009-07-22.

Upgrade to Joomla! 1.5.x family (1.5.22 as of 2011-01-06)

Apply the third-party patch:
http://www.joomlaportal.de/sicherheit/241658-joomla-1-0-x-1-0-15-cross-site-scripting-xss-vulnerability.html


7. VENDOR

Joomla! Developer Team
http://www.joomla.org


8. CREDIT

This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.


9. DISCLOSURE TIME-LINE

2011-01-03: notified Joomla! Security Strike Team regardless of EOL status
2011-01-06: vulnerability disclosed
2011-01-07: vendor confirmed that they would not release patch


10. VENDOR RESPONSE

While noted, your exploit report does not fall within the JSST remit as
we no longer support J1.0.x branch (as you are aware and indicate).
The vulnerability mentioned is not known to exist in any current
supported release.
Please ensure you are using the latest version of Joomla!


11. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/joomla/core/[joomla_1.0.x~15]_cross_site_scripting
Patched File:
http://yehg.net/lab/pr0js/advisories/joomla/core/patched_com_search.zip
Joomla! 1.0.x End of Life -
http://community.joomla.org/blogs/community/509-an-old-friend-comes-of-age.html
OWASP Top 10: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
CWE-79: http://cwe.mitre.org/data/definitions/79.html


#yehg [2011-01-06]

#updated - 2011-01-14
- added patched link
#updated - 2011-01-07
- added VENDOR RESPONSE, CVE ID
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages